SUCCESSION  PLANNING:  THE  BEST  WAYS  TO  MAKE  IT  WORK  FOR  YOU  page4o 


BY  STEPHANIE  OVERBY 


When,  why,  how  and  whether  to 
adopt  the  new  Internet  protocol 

Page  76 


THE  WAR  AGAINST  I.T. 


Strategies  for  combatting 
the  backlash  against  RFID 
and  other  new  technologies 

Page  48 

OCTOBER  1,  2006  |  $9.00  \  CIO.COM 


The  World  According  To  Stephen 

Dynamic  Networking  from  AT&T  enables  converged  communications  across 
locations  worldwide.  By  proactively  identifying  changes  in  traffic  volume  and 
responding  in  real  time,  Stephen's  network  can  move  resources  more  efficiently, 
and  securely.  Learn  how  Dynamic  Networking  can  enable  your  business. 


fs 


I  am  the  shepherd  of  resources. 

The  ringleader  of  processes. 
The  conductor  of  an  inventory 
in  transit  across  three  continents. 


This  is  my  world 


runs  on 


i  * 

et  working 


The  new 


Your  world.  Delivered. 
■ 


'J 


■ 


Mm, 


I 


n 


\i 


/ 


-• 


✓ 


%  ^  K 


'4 


GREATER  SPEED.  GREATER  CONTROL 


Go  Pro 


Introducing  Intel®  vPro™  technology. 

Greater  control  built  in  to  your  desktop  fleet. 

Intel"  vProm  technology  is  more  than  just  a  new  processor.  It’s  an  integrated  set  of  new  technologies  designed 
to  work  together.  Your  ability  to  manage  your  entire  enterprise  is  built  in.  So  is  your  ability  to  remotely  heal 
PCs  even  when  powered  down.  Built  around  the  extraordinary  performance  of  the  new  Intel*  Core'"2  Duo 
processor,. Intel  vPro  technology  adds  functionality  to  leading  network  management  software.  To  download 
the  Intel  vPro  technology  whitepaper,  go  to  intel.com/vpro. 

.  /  wg|6  Intel  Cc|f!(j&<jjj$4r1ggl yPio/Intel  Core.  Intel  Leap  ahead.,  and  the  Intel.  Leap  ahead,  logo  are  trademarks  or  registered  trademarks  ot 

j  Intel  Corporate!; in  ttifr  United  Slates  and  other  countries.  All  rights  reserved. 


ml 


vPrd 


S' 


Vanguard’s  Jeff  Dowds  used  cost 
and  quality  metrics  to  make  a 
business  case  for  keeping  IT 
development  in-house. 


52  Just  Say  “Know” 


OCTOBER  1,  2006  !  VOL/20  I  NO/1 


Columns 


40  Grow  Your  Own 

career  Smart  succession  planning 
can  help  the  CIO  cultivate  and  keep 
future  leaders— and  boost  his  own 
career  prospects.  By  Martha  Heller 

44  A  Good  Offense  Is  a 
Good  Defense 
outsourcing  It  pays  for  CIOs  to 
map  their  own  plays  before  a  mandate 
to  outsource  comes  down  from  on  high. 
By  Susan  Cramm 

48  The  Luddites  Are 
Coming! 

policy  CIOs  must  arm  themselves 
against  the  growing  backlash  to 
revolutionary  new  technologies  like 
online  commerce  and  RFID  chips. 

By  Robert  Atkinson 

more  » 


cover  story  |  outsourcing  The  boss  may  assume  that 
outsourcing  is  the  answer  to  everything.  But  CIOs  can’t  afford  to 
assume  anything.  They  have  to  know.  By  Stephanie  Overby 

i 

70  |  Cure  for  the  Blues 

mid-market  |  view  from  the  top  For  this  mid-market  health-care 
insurer,  today’s  IT  investments  are  the  prescription  for  a  healthy  future. 

By  Allan  Holmes 

76  i  The  Protocol  Supremacy 

network  strategy  IPv6,  the  Internet’s  new  communication 
technology,  is  coming— whether  CIOs  are  ready  or  not.  But  being  ready 
could  save  you  millions  and  reduce  security  risks.  By  Ben  Worthen 


www.cio.com  |  OCTOBER  1,  2006  3 


Your  enterprise  information  is  exploding, 
along  with  the  demands  to  make  it  all  mobile. 


NOW  ITS  UP  TO  YOU  TO  MAKE  IT  WORK. 


When  businesses 
get  serious  about 

INFORMATION 
MANAGEMENT 
AND  MOBILITY 
they  get  Sybase. 

Ready  to  get  serious  about  taking  your  data  infrastructure  to  the  next  level?  Choose  the  company  that  81  of 
Fortune  100  organizations  rely  on  to  securely  deliver  decision-ready  information  to  the  point  of  action  while 
providing  the  IT  control  you  need:  Sybase.  Our  modular  software  helps  your  IT  staff  to  break  down  the  complex 
barriers  in  your  data  flow,  ensuring  information  moves  seamlessly  and  securely  between  data  sources  and  points 
of  action.  So  if  you’re  ready  to  make  the  Unwired  Enterprise  a  reality,  let  Sybase  help  you  deliver  some  serious  results. 
To  learn  more,  visit  www.sybase.com/getserious1 


Copyright  ©2006  Sybase,  Inc.  All  rights  reserved.  Sybase  and  the  Sybase  logo  are  trademarks  of  Sybase,  Inc. 

®  indicates  registration  in  the  United  States  of  America.  All  product  and  company  names  are  trademarks  of  their  respective  owners. 


Sybase 


1 


sp¬ 


in  Every  Issue 


8  From  the  Editor 

Inevitably,  the  future  looks  quite  differ¬ 
ent  from  the  past.  By  Abbie  Lundberg 

10  From  the  Publisher 

What  CIOs  taught  me.  By  Gary  Beach 

16  Inbox 

Readers  weigh  in  on  staffing  and 
money  matters. 

25  Trendlines 

► 

► 

► 

► 

► 

► 

► 

► 

► 

► 


New  chips  may  affect  IT  budgets 
Sprint’s  leap  into  WiMax 
Can  Rubik’s  Cube  solve  business  issues? 
From  “One  to  Watch”  to  CIO 
Chilling  data  center  costs 
Users  Say  PCs  Are  Like  Edsels 
Indian  IT  services  giants  seek  U.S.  staff 
Metrics  for  IT-business  alignment 
Brits  demand  access  to  your  data 
How  to  move  to  a  new  industry 


35  Essential  Technology 

Bendable  displays?  Mind-reading  PCs? 
Some  futuristic  technologies  are  closer  to 
fact  than  fiction.  By  Michael  Fitzgerald 


86  Forum 

The  CIO  Executive  Council  shares 
strategies,  tips  and  insights  on  SOA. 

By  Carrie  Mathews 

90  Index 


92  Endlines 

Department  of  Self-Interest 

By  Thomas  Wailgum 

6  OCTOBER  1,  2006  |  www.cio.com 


(Cont.) 


m  jn  W7 


#■ 

NATmlRillE*L 
J°m ial?smEss 
awardsm 


[THE  CIO  ROLE] 

Why  Don’t  They  Get  It? 

«We'  ve  gotten  some  very  early  results  backfrom 
our  annual  ‘State  of  the  CIO’  survey.  The  statistic  I 
always  seek  out  as  the  barometer  of  the  health  of 
strategic  IT  is  the  reporting  relationship  of  the  CIO. 

Most  CIOs  still  do  not  report  to  the  CEO.  How  can 

IT  be  strategic— and  corporations  hope  to  sur¬ 
vive— if  the  CIO  does  not  reportto  the  CEO?” 

Thats  CIO  Executive  Editor  Christopher  Koch  trying  to 
make  sense  of  something  that.. .just. ..doesn't. 

))  blogs.cio.com/the-slow-painful-demise-of-strategic-IT 


[OUTSOURCING] 

YES,  NO  OR  MAYBE 

Maybe  you  should  outsource;  maybe  you 
shouldn’t.  But  you  should  always  have  a 
say  in  the  decision.  Start  your  research  with 
a  reportfrom  Nautilus  Advisors,  “Howto 
Avoid  Outsourcing  (When  Everyone  Around 
You  Thinks  It’s  a  Good  Idea)”  and  follow  that 
with  “Sourcing  Strategy:  Knowing  When  to 
Outsource,"  from  Source:Renaissance. 

www.cio.com/100106 

[THE  INTERNET] 

DON’T  CALL  ME, 

I’LL  CALL  YOU 

CIO  Senior  Writer  Ben  Worthen  wants  to 
integrate  the  various  ways  people  can  con¬ 
tact  him.  Thetechnology  to  dothat  is  pos¬ 
sible— but  is  the  cooperation  it  will  demand? 

blogs.cio.com/introducing-the-federnet 


THE  NEWS  OF  THE 
WEEK  IN  REVIEW 

Every  Friday,  Online  News 
Editor  Al  Sacco  collects, 
digests,  chooses,  boils 
down  and  posts  the  week’s 
10  top  technology  and 
business  stories — 
all  for  you. 
www.cio.com 


k 


CIO. 

com 


»  Podcasts  CIO  Daily  News  Show 
»  IT  Events  What’s  happening  everywhere 
»  Tech  Informer  Patches,  products  and  more 
»  Blogs  CIO  editors  have  their  say  and  you  talk  back 


3PAR  THIN 
PROVISIONING 

Good  for  your 

business... 

good  for  the  planet 


LESS  DISK  DRIVES 


"By  consolidating  on  3PAR,  we've 
doubled  our  capacity  utilization. " 

Ron  Rose,  CIO  of  Priceline.com 


LESS  ENERGY 


LESS  GREENHOUSE 
GASES 


3PAR's  simple,  efficient  and  massively  scalable 
storage  arrays  with  Thin  Provisioning  are 
revolutionizing  the  mission-critical  data  center. 
3PAR  customers  can  buy  half  the  storage 
capacity  required  with  traditional  storage 
arrays.  Deploying  3PAR  Utility  Storage  means 
lower  capital  costs  and  reduced  consumption 
of  electricity  and  data  center  floor  space. 

To  learn  more  about  3PAR  Thin  Provisioning  request  a  free 
white  paper  from:  www.3par.com/green  or  contact  us: 
salesinfo@3pardata.com  or  1-888-3PAR-226  extension  2. 


Think  Thin.  Think  Green.  Think  3PAR. 


3  PAR 

Serving  Information 


FROM  THE  EDITOR 


The  CIO  Role: 
Predictions 


Inevitably,  the  future  looks 
quite  different  from  the  past 


i 


At  our  recent  CIO  100  Symposium,  I  ran  a  session  called  “Sound  Off  on  Innova¬ 
tion,”  bringing  together  four  very  opinionated  people  to  discuss  six  controversial  issues 
for  CIOs:  outsourcing  and  its  impact  on  innovation;  software  development  practices; 
customers;  service-oriented  architecture;  the  impact  of  consumer  IT  on  the  enterprise; 
and  CIO  reporting  relationships.  The  discussion  was  lively,  at  times  contentious  and 
sometimes  hilarious.  You  can  view  the 
webcast  at  www.  cio.  com/1001 06. 

We  concluded  the  session  with  pre¬ 
dictions.  Some  themes  emerged,  par¬ 
ticularly  about  changes  in  the  CIO  role. 

Here’s  our  look  into  the  future: 

Maggie  Miller,  CIO,  Warner  Music 
Group,  went  first.  “If  we’re  really  going  to  optimize  our  businesses,”  she  said,  “IT  and 
business  processes  have  to  be  indivisible.  More  CIOs  will  become  COOs,  and  the  CIO  job 
itself  will  move  more  into  the  COO  role.” 

Michael  Schrage,  codirector  of  the  eMarkets  Initiative  at  the  MIT  Media  Lab  and 
a  regular  CIO  columnist,  offered  two:  First,  “Boards  of  directors  will  become  more 
operationally  involved  in  IT-related  organizational  transformations.”  Second,  “There 
will  be  fewer  CIOs  seven  or  eight  years  hence.  The  CIO  function  will  be  decentralized 
into  business  process  functions.” 

Jerry  Gregoire,  former  CIO  of  Dell  and  PepsiCo,  also  offered  two  predictions.  The  first 
was  about  the  impact  of  consumer  IT  on  the  enterprise.  He  used  the  PC  to  illustrate:  “As 
consumers  go  through  their  next  refresh  cycle  on  their  home  systems,  they’re  going  to 
turn  from  PCs  to  Apple  because  Apple  is  going  to  run  Windows  apps  better  than  PCs 
do.  Then  they’re  going  to  come  to  work  and  ask  why  they  can’t  have  an  Apple,  and  you’re 
going  to  be  right  back  where  you  were  10  years  ago,”  saying  no  to  users.  His  second  pre¬ 
diction  addressed  the  question  of  whether  innovation  could  be  outsourced:  “In  the  next 
few  years,  the  CIO  100  will  become  the  CIO  200.  There’ll  be  one  award  for  the  company 
that  paid  to  have  the  project  done  and  one  for  the  company  that  actually  did  it.” 

Gregor  Bailar,  CIO,  Capital  One  Financial,  predicted  that  “the  CIO  role  is  going  to  be 
in  the  biggest  transformation  it’s  been  in  over  the  past  20  years  because  of  the  need  for 
CIOs  to  stand  up  and  be  spokesmen  for  and  instigators  of  process  change  and  innova¬ 
tion  within  their  company.” 

I  threw  in  my  own  prediction:  “CIOs  who  don’t  get  their  arms  around  the  impact  of 
consumer  technology  on  the  enterprise  are  putting  their  jobs  and  their  organizations  at 
risk— either  because  they’re  going  to  be  leaving  their  companies  vulnerable  or  they’re 
going  to  miss  out  on  a  big,  big  wave  of  innovation.” 

What’s  your  big  prediction  for  the  next  few  years?  Add  it  to  the  online  version  of 
this  article  at  www. cio. com/100106. 


CIOs  need  to  "stand  up  and  be 
spokesmen  for  and  instigators 
of  process  change  and  innova¬ 
tion  within  their  companies." 

-Gregor  Bailar,  CIO,  Capital  One 


Abbie  Lundberg,  Editor  in  Chief 

lundberg@cio.com 


P.S.  And  speaking  of  the  future,  nominations  are  now  open  for  the  third  annual  Ones 
to  Watch  awards,  presented  by  CIO  and  the  CIO  Executive  Council.  If  you  know  a 
talented  up-and-comer,  nominate  him  or  her  today  at  www.cio.com/awards/watch . 


8  OCTOBER  1,  2006  |  www.cio.com 


PHOTO  BY  STEVEN  VOTE 


mwtm 


Centrino&V 

Duo 


Dell  recommends  Windows®  XP  Professional 


DELL™  LATITUDE™  D620  NOTEBOOKS 
FOR  BUSINESS  FEATURE  THE  FREEDOM  OF 
INTEL®  CENTRINO®  DUO  MOBILE  TECHNOLOGY. 


Pure  durability 

The  magnesium  alloy  casing  and  built-in  shock  absorbers 
keep  the  Dell  Latitude  D620  RoadReady.™  So  you  can 
worry  less  that  it  will  stop  when  it  drops.  And  keep  your 
data  protected  from  the  unexpected.  It’s  your  enterprise. 


Dell  cannot  be  responsible  for  errors  in  typography  or  photography.  Dell,  the  Dell  logo,  Latitude  and  RoadReady  are  trademarks  of  Dell  Inc.  Intel,  Intel  logo,  Intel  Inside,  Intel  Inside  logo,  Centrino  and  the  Centrino  logo  are 
trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation 
in  the  United  States  and/or  other  countries.  ©2006  Dell  Inc.  All  rights  reserved. 

'■  .7  ■  '  .  •/.;  '  ••  -V/7  .  ;  T  "  r‘'!  V  ■ 


BUSINESS  TECHNOLOGY  LEADERSHIP 


FROM  THE  PUBLISHER 


Lessons  Learned 

What  CIOs  taught  me 


I  recently  attended  the  19th  annual  CIO  100 
Symposium,  where  we  honored  the  top  CIOs  in  the 
country.  Here’s  what  I  learned  from  them.  (And 
for  more  lessons  learned  from  the  CIO  100,  go  to 
www. cio. com/081506.) 

■  Mobile,  shmobile.  Only  one  in  10  enterprise 
workers  has  access  to  e-mail  on  a  BlackBerry  or 
Palm  Treo,  and  even  fewer  can  access  business  apps 
on  those  devices.  Conclusion:  There’s  huge  growth 
potential  in  the  enterprise  mobility  market. 

■  Communication,  communication  and  more  communication,  among  all  levels 
of  your  IT  staff,  is  critical  to  delivering  innovative  solutions.  Regulatory  and  legal 
issues  are  the  biggest  external  roadblocks  to  innovation,  while  unsupportive  cor¬ 
porate  cultures  and  inadequate  funding  constitute  the  main  internal  speed  bumps. 

■  Training  end  users— initially  and  continually— is  the  most  important  thing 
a  CIO  can  do  when  rolling  out  an  innovative  application. 

■  If  you  want  to  be  innovative,  you  gotta  embrace  your  failures  and  accidents. 

■  Don’t  even  try  to  stop  the  tsunami  of  consumer  devices  entering  your  infra¬ 
structure.  It’s  a  losing  battle.  In  fact,  it’s  already  been  lost.  (But  put  Skype  at  the 
top  of  your  public  enemies  list.) 

■  Saving  money  (“the  whole  mess  for  less”)  is  absolutely  the  worst  reason 
to  outsource.  You  outsource  to  grow  your  business  the  right  way. 

■  Vendors  do  not  sell  service-oriented  architecture  solutions;  CIOs 
must  buy  them. 

■  The  CIO’s  future  role  will  morph  into  the  CEO’s  present  job. 

■  My  biggest  lesson?  Realizing  how  much  I  didn’t  know! 


Gary  Beach,  Publisher 

gbeach(a)cio.com 


i 


1 


: 


president  and  ceo  Michael  Friedenberg 

publisher  Gary  J.  Beach 

CXO  MEDIA 

CIRCULATION 

svp,  circulation  Carol  A.  Spach 
subscription  svcs.  supervisor  Tina  Pescaro 

CIO  EXECUTIVE  COUNCIL 
GENERAL  MANAGER  Mark  Hall 
program  director  Shaw  Lively 
vp,  development  Dexter  Siglin 
MANAGING  DIR.,  CONTENT  DEVELOPMENT  Richard  Pastore 
dir.,  external  relations  Karen  Fogerty 
director  of  research  Michael  Swenson 
marketing  communications  manager  Jennifer  Baker 
MGR.  OF  OPERATIONS  AND  PROJECT  MGMT.  Jean  Costello 
director  of  development  Steve  Rovniak 

PROGRAM  SERVICES  MANAGERS 

Michael  Fahlsing,  Ellen  Friedman,  Bill  Golden. 
Carrie  Mathews,  Bill  Roche 

DEVELOPMENT  MANAGERS 

Patrick  Clarke,  Lauren  DeLong,  Steve  Dodman, 
Robert  Graham,  John  Harrison 

EXECUTIVE  PROGRAMS 

vp,  executive  programs  Ellen  Daly 
DIR.,  BUSINESS  DEVELOPMENT  John  VulopaS 
director,  event  marketing  Mary  Conroy 
conference  manager  Judith  Kittredge 
event  planner  Sarah  Reagan 
event  coordinator  Bethany  Whiffin 
client  relations  associate  Lisa  Byron 
client  services  specialist  Cress  O'Brien 

INFORMATION  SYSTEMS 
idg  dir.  of  information  services  Nancy  Newkirk 
lead  developer  Sean  McCracken 
senior  user  support  specialist  Christopher  A.  Kay 
user  services  specialist  Gloria  Lam 
senior  web  developer  David  Cohen 
web  developer  Sanghee  Seo 

PRODUCTION 

VP,  manufacturing  Chris  Cuoco 
production  manager  Heidi  Broadley 
associate  production  manager  Lisa  M.  Stevenson 

MARKETING 

sr.  director,  marketing  comm.  Sue  Yanovitch 
sr.  marketing  comm,  specialist  Susan  Murray 
marketing  comm,  specialist  Lynn  Holmlund 

RESEARCH 

research  director  Lorraine  Cosgrove  Ware 

research  manager  Carolyn  Johnson 

ADMINISTRATION 

coo  Matt  Smith 

dir.,  finance  Margarita  Chiango 

FINANCIAL  ANALYST,  ONLINE  AND  INTEGRATED  PRODUCTS 

Chris  Bernardi 

executive  assistant  to  the  president  Diane  Martin 
ACCOUNTING  SPECIALIST  Joyce  GilliS 
facilities  specialist  John  Kelley 
office  services  coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 
vp.  human  resources  Patricia  Chisholm 
sr.  hr  representative  Beth  S.  Ramistella 


INTERNATIONAL  DATA  GROUP 

board  chairman  Patrick  J.  McGovern 

president,  idg  communications  Bob  Carrigan 


CXO  ''MEDIA  INC. 


#BPA 

HI  A  ■  ■  A  Ml  I  A  A1 


nif  wt» «- 


10 


OCTOBER  1,  2006 


www.cio.com 


PHOTO  BY  WEBB  CHAPPELL 


SUPPORT 


I  OPTIMIZE  I  SECURE  I  MANAGE  I 


It's  not  just  what  we  bring  to 
the  table  in  IT  Security. 

It's  what  we  take  off  your  plate. 


You  could  try  to  build  an  effective  IT  security  strategy  on  your  own. 

But  do  you  really  have  the  time?  The  resources?  The  comprehensive 
expertise?  Partner  with  Akibia,  and  you  can  leave  it  all  to  us. 

With  over  20  years  of  experience,  we  provide  the  expert  consulting, 
integration  and  support  services  you  need  to  implement  a  total  integrated 
security  solution.  Through  our  partnerships  with  leading  technology 
providers,  we’re  able  to  identify  and  deliver  best-in-class  solutions, 
such  as  the  Nokia/Check  Point™  all-in-one  Security  Gateway  or  Akibia's 
Managed  Check  Point  Firewall  Service.  All  the  while,  we  remain  objective, 
service-oriented,  and  focused  on  what  matters  most:  Securing  your 
corporate  infrastructure,  while  reducing  the  burden  on  you. 

Akibia  is  an  independent  IT  services  company  that  enables  organizations  to 
optimize,  secure,  manage  and  support  their  mission-critical  infrastructure. 

FREE  AKIBIA  SECURITY  ANALYSIS 

For  more  information  visit  www.akibia.com/securityanalysis 

www.akibia.com 


NOKIA 


Check  Poinf 

SOFTWARE  TECHNOLOGIES  LTD. 


We  Secure  the  Internet. 


©  Akibia  2006.  Alt  Rights  Reserved.  "Akibia"  is  a  registered  trademark  of  Akibia,  Inc.,  in  the  U.S.  and  other  countries.  “Nokia"  is  a  registered  trademark  of  Nokia  Corporation. 
Check  Point  is  a  trademark  of  Check  Point  Software  Technologies  Ltd.  in  the  U.S.  and  other  countries. 


BUSINESS  TECHNOLOGY  LEADERSHIP 


president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

EDITORIAL 

editor  in  chief  Abbie  Lundberg 
managing  editor  David  Rosenbaum 

EXECUTIVE  EDITORS 

Christopher  Koch,  Elana  Varon 

WASHINGTON  BUREAU  CHIEF 

Allan  Holmes 

TECHNOLOGY  EDITOR 

Laurianne  McLaughlin 

SENIOR  EDITORS 

Stephanie  Gelston,  Stephanie  Overby 

SENIOR  WRITERS 

Thomas  Wailgum,  Ben  Worthen 

CONTRIBUTORS 

Robert  Atkinson,  Gunjan  Bagla,  Susan  Cramm, 
Michael  Fitzgerald,  Martha  Heller,  Jeremy  Kirk, 
Stephen  Lawson,  Carrie  Mathews, 
Elizabeth  Montalbano 

EDITORIAL  ADMINISTRATOR 

Jill  Paquette 

DESIGN 

EXECUTIVE  DIRECTOR,  ART  AND  DESIGN 

Mary  Lester 

art  director  Terri  Haas 

ASSOCIATE  ART  DIRECTORS 

Matthew  Goebel,  Chandra  Tallman 

COPY  TEAM 

ASSISTANT  MANAGING  EDITOR 

Emily  S.  Henderson 

SENIOR  COPY  EDITORS 

Diann  Daniel,  Cathy  Mallen 

COPY  EDITOR 

Susan  Bryant-Still 

EDITORIAL  ASSISTANTS 

Margaret  Locher,  Christopher  Lynch, 
Katherine  Walsh 

ONLINE  EDITORIAL 

ONLINE  EDITORIAL  DIRECTOR 

Christopher  Lindquist 

SENIOR  ONLINE  EDITORS 

Sandy  Kendall,  Paul  L.  Kersteln,  Meridith  Levinson 

ONLINE  NEWS  WRITER  Al  SaCCO 

online  copy  editor  David  Gradijan 

RESEARCH 

RESEARCH  DIRECTOR 

Lorraine  Cosgrove  Ware 

RESEARCH  MANAGER 

Carolyn  Johnson 

K 

CXOXMEDIA  INC. 


INTERNATIONAL  DATA  GROUP 
BOARD  CHAIRMAN  Patrick  J.  McGovern 

president,  idg  communications  BobCarrigan 


*BPA 

WORlOMIDf 

©CXO  Media  Inc. 


WHAT  WE  COVER,  WHOM  TO  CONTACT 

CIO  CAREER 

ENTERPRISE 

■Skills 

INFRASTRUCTURE 

■  Job  Specs 

■  Enterprise  Architecture,  SOA 

■  Career  Path 

■  Middleware 

■  Professional  Development 

■  Enterprise  Resource  Management  (ERP) 

■  Personal  Development 

•  Supply  Chain  Management  (SCM) 

Stephanie  Gelston,  sgelston@cio.com 

■  B2B  Electronic  Commerce 

Meridith  Levinson,  mievinson@cio.com 

Christopher  Koch,  ckoch@cio.com 

Thomas  Wailgum,  twailgum@cio.com 

LEADERSHIP  &  MANAGEMENT 

■  Governance  &  Alignment 

Ben  Worthen,  bworthen@cio.com 

■  Budget  Management  &  IT  Value 

CUSTOMERS 

■  Business  Process  Redesign 

■  Customer  Resource  Management  (CRM) 

■  Management  Methodologies 

■  B2C  E-Commerce 

■  Project  Management 

■  Business  Intelligence 

Christopher  Koch,  ckoch@cio.com 

■  Privacy 

Elana  Varon,  evaron@cio.com 

Allan  Holmes,  aholmes@cio.com 

SOURCING  &  STAFFING 

TECHNOLOGY 

■  Staffing 

■  Emerging  Technology 

■  Vendor  Management 

■  Networking  &  Communications 

Stephanie  Gelston,  sgelston@cio.com 

■  Data  Center 

Stephanie  Overby,  soverby@cio.com 

■  Storage 

■  Hardware 

RISK  MANAGEMENT 

■  Wireless/Mobility 

■  Security 

■  Knowledge  Management 

■  Business  Continuity 

Christopher  Lindquist,  ciindquist@cio.com 

■  Compliance 

Laurianne  McLaughlin,  lmciaughlin@cio.com 

Allan  Holmes,  aholmes@cio.com 

Ben  Worthen,  bworthen@cio.com 

Thomas  Wailgum,  twaiigum@cio.com 

GOVERNMENT 

Allan  Holmes,  aholmes@cio.com 

COLUMN  &  DEPARTMENT  CONTACTS 

Applied  Insight 

Martha  Heller 

Christopher  Koch,  ckoch@cio.com 

Stephanie  Gelston,  sgelston@cio.com 

Book  Reviews 

Michael  Schrage 

Laurianne  McLaughlin,  imclaughlin@cio.com 

Abbie  Lundberg,  lundberg@cio.com 

By  the  Numbers 

On  the  Move 

Laurianne  McLaughlin,  lmclaughlin@cio.com 

Meridith  Levinson,  mievinson@cio.com 

Endlines 

Peer  to  Peer 

David  Rosenbaum,  drosenbaum@cio.com 

Elana  Varon,  evaron@cio.com 

Essential  Technology 

Susan  Cramm 

Laurianne  McLaughlin,  imclaughlin@cio.com 

Stephanie  Gelston,  sgelston@cio.com 

Forum 

Total  Leadership 

David  Rosenbaum,  drosenbaum@cio.com 

Elana  Varon,  evaron@cio.com 

In  Box 

Trendlines 

Cathy  Mallen,  cmalien@cio.com 

Keynote 

Elana  Varon,  evaron@cio.com 

Laurianne  McLaughlin,  lmclaughlin@cio.com 

e-mail  letters@cio.com  phone  508  872-0080  fax  508  879-7784  address  CIO  Magazine,  CXO  Media  Inc., 
492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208  website  www.cio.com 
subscriber  services  866  354-1125  •  Fax  847  564-9453  •  E-mail  cio@omeda.com 
reprint  services  Jennifer  Eclipse  •  PARS  International  •  212  221-9595  ext.  237  •  E-mail  jeclipse@parsintl.com 
rights  and  permission  Yadira  Pizarro  •  212  221-9595  ext.  231  •  E-mail  yadira@parsintl.com 


12  OCTOBER  1,  2006  1  www.cio.com 


TATA 


WHERE  DO  7  OF  THE  TOP  10  FORTUNE®  100 
TURN  FOR  THEIR  I.T.  NEEDS? 

TO  THE  BIGGEST  I.T.  COMPANY  YOU’VE  PROBABLY  NEVER  HEARD  OF... 


Presenting  Tata  Consultancy  Services,  TCS,  the  creator  of  the  Network  Delivery  Model 
for  software  development.  For  over  37  years  TCS  has  been  the  provider  of  choice  for 
hundreds  of  customers  around  the  globe,  including  seven  of  the  top  ten  FORTUNE  ®  100 
companies.  TCS,  with  revenues  of  $2.97  billion  in  FY  2005/06,  serves  its  customers 
with  over  71,000  expert  associates  from  53  countries  around  the  globe,  including 
10,000  employees  in  50  locations  throughout  the  U.S. 

It’s  time  you  got  to  know  the  biggest  I.T.  company  you’ve  probably  never  heard  of. 
For  a  more  complete  introduction,  email  marketing@usa-tcs.com  or  visit  us  online 
at  www.tcs.com. 


c 


TATA  CONSULTANCY  SERVICES 


I.T.  Services  /  Business  Solutions  /  Outsourcing 


2006  Tata  Consultancy  Services  ltd.  All  rights  reserved.  Tata  Consultancy  Services  and  the  Tata  Consultancy  Services  logo  are  registered  trademarks  of  Tata  Consultancy  Services  ltd. 


On  his  way  to  work, 
Brian  started  to  think 
about  how  changing 
applications  could 
dramatically  speed 
up  product  design. 


Right  after  that,  a 
server  overheated 
and  he  spent  the  day 
shopping  for  fans. 


Set  IT  free 


Dual  Core  is  a  new  technology  designed  to  improve  performance  of  multithreaded  software  products  and  hardware-aware  multitasking  operating  systems  and  may  require  appropriate  operating  system  software  for  full 
benefit;  check  with  software  provider  to  determine  suitability;  not  all  customers  or  software  applications  will  necessarily  benefit  from  use  of  this  technology.  Intel's  numbering  is  not  a  measurement  of  higher  performance. 
1 .  Based  on  internal  HP  testing  of  similarly  configured  rack  and  blade  servers  running  identical  tests. 


Mi 


Xeon 

inside™ 


Dual-core. 
Do  more. 


ii 


Introducing  the  HP  BladeSystem  c-Class,  powered  by  the  Dual-Core  Intel®  Xeon®  Processor.  Give  your  IT 
department  the  freedom  to  spend  less  time  on  day-to-day  operations  so  they  can  focus  more  time  on 
pursuing  innovations  for  the  company.  The  new  HP  BladeSystem  comes  equipped  with  features  like  Thermal 
Logic  Technology,  which  manages  power  and  cooling  without  sacrificing  performance,  so  your  company  can 
deliver  power  savings  of  up  to  40  percent  or  more  versus  rack-mount  servers1.  And  money  saved  is  money  that 
can  be  reinvested  into  more  innovations  for  your  company.  Just  imagine  the  possibilities  when  you  set  IT  free. 


Call  1-877-726-81  12 
Visit  hp.com/go/setlTfree6  or  contact  your  local  reseller  to 
learn  more  about  how  the  BladeSystem  can  help  your  business. 


m 


Intel,  the  Intel  Logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  The  information  contained  herein  is  subject  to  change 
without  notice.  ©  2006  Hewlett-Packard  Development  Company,  L.P. 


READER  FEEDBACK 


InBox 


^.OOVOIHA**. 


3KSSSSS-- 


tlfU"'1*  '• 


, i 


Degree  Discrimination? 

Once  again,  an  article  in  CIO  magazine 
about  IT  recruiting  woes  and  the  dearth  of 
skilled  prospects  [“How  to  Hook  the  Talent 
You  Need,”  Sept.  1].  And  once  again,  not  a 
single  mention  of  the  large  percentage  of 
the  general  population  being  blatantly 
passed  over  because  of  their  lack  of  a  col¬ 
lege  degree.  I  powered  my  way  through 
the  entire  article,  wincing  all  the  way. 
“Enrollment  in  U.S.  computer  science  and 
engineering  programs  has  plunged  five 
straight  years”  (Page  40),  “recruit  them 
out  of  the  university”  (Page  42),  and  so  on 
and  so  on. 

To  be  fair,  perhaps  I  missed  an  article 
you  may  have  published  extolling  the  vir¬ 
tues  of  hiring  experienced,  qualified,  hard¬ 
working,  nondegreed  professionals  to  fill 
your  IT  hiring  needs.  But  I  seem  to  catch 
article  after  article  that  laments  the  lack  of 
IT  grads,  and  in  almost  every  one  of  those 
articles,  not  one  time  does  anyone  offer  the 
hiring  of  people  without  degrees  as  a  pos¬ 
sible  solution  to  the  dilemma. 


I  have  10  years  of  IT  experience,  from 
setting  up  PCs  to  configuring  networking 
gear  to  writing  training  documentation  to 
leading  integration  efforts.  I  am  a  certified 
Project  Management  Professional.  I  even 
have  a  NetWare  certification.  I  have  done 
customer  service  from  the  help  desk  all  the 
way  to  the  executive  suite.  Yet,  time  after 
time,  no  matter  how  skilled  and  talented 
I  am  or  how  respected  I  am  by  my  peers, 
coworkers  and  superiors,  my  resume  is 
sent  straight  to  the  circular  file  by  some¬ 
one  in  HR  who  was  told  to  prefer  those 
with  a  degree. 

Just  like  anyone  over  50  with  a  little 
gray  in  their  hair  who  now  faces  the 
very  real  problem  of  age  discrimination, 
those  without  a  college  degree  are  facing 
discrimination  of  their  own.  Forgive  me 
if  my  sentences  are  long  and  rambling. 
Obviously,  I  have  been  impaired  by  my 
lack  of  a  college  degree,  and  thus,  my  abil¬ 
ity  to  clearly  communicate  suffers  greatly. 
I  would  ask  some  of  the  world’s  richest 


rate  one’s  intelligence  and  capabilities  from 
one’s  academic  standing. 

TOBY  FRUTH,  PMP 

Consultant 

This  is  not  as  crazy  as  it  sounds.  Chris 
Stockley  of  Skanska  is  absolutely  correct. 
Technical  skills  should  be  the  last  criterion 
during  a  selection  process.  Today’s  techni¬ 
cal  skills  may  be  redundant  tomorrow- 
some  skills  that  have  a  bit  longer  life  are 
comprehension,  analytical  abilities,  inter¬ 
personal  adeptness,  confidence,  ability  and 
attitude  to  take  on  new  challenges. 

Technical  skills  can  be  taught,  but  you 
can’t  teach  the  above. 

RAJA  YADAVALLI 

Director 

Ryzohm 

It  is  interesting  to  hear  CIOs  write  about 
the  lack  of  business  savvy  in  the  IT  offer¬ 
ings  in  higher  education  when  in  fact  CIOs 
are  getting  exactly  what  they  are  incent- 


Just  like  anyone  over  50  with  a  little  gray 
in  their  hair  who  now  faces  the  very  real 
problem  of  age  discrimination,  those  with¬ 
out  a  college  degree  are  facing  discrimi¬ 
nation  of  their  own.  The  time  has  come  to 
separate  one's  intelligence  and  capabili¬ 
ties  from  one's  academic  standing." 

-Toby  Fruth,  PMP,  Consultant 


and  most  successful  people,  like  Bill  Gates, 
Larry  Ellison  and  Michael  Dell,  for  help  in 
writing  this  letter.  Alas,  they  too  are  with¬ 
out  degrees.  It’s  a  wonder  their  companies 
ever  succeeded.  The  time  has  come  to  sepa- 


ing.  When  a  law  firm  wants  a  lawyer,  or 
the  National  Institutes  of  Health  wants 
a  researcher,  what  do  they  do?  Forgive 
educational  loans.  What  do  CIOs  do  to 
students  just  out  of  school?  Force  them  to 


16  OCTOBER  1.  2006  |  www.cio.com 


WWW.INFORMATICA.COM/CIO 


30%  OF  YOUR  DATA  IS  ON  THE  MAINFRAME. 


10%  IS  BEING  OUTSOURCED. 


80%  IS  OUTSIDE  YOUR  ERP  SYSTEM. 


All  of  which  is  delivering 


0%  BUSINESS  VALUE. 


[  You  Need  Data  Integration] 


ver  eighty  percent  of  Fortune  100  companies  rely  on 
Informatica  to  solve  their  data  integration  problems.  Our 
open,  platform-neutral  architecture  enables  you  to  solve  the 
most  complex  data  integration  problems.  From  migrating  off 


data  across  your  databases.  Using  Informatica,  you  can  derive 
the  most  business  value  from  all  your  data. 

With  more  than  2,300  customers  worldwide,  we  have  the 
track  record  to  best  address  your  data  integration  needs.  Call  us 


your  legacy  systems,  to  consolidating  your  • . •  at  800-653-3871,  or  visit  our  website, 

INFORMATICA*  www.informatica.com/CIO. 


software  applications,  to  synchronizing 


The  Data  Integration  Company1 


©  2006  Informatica  Corporation.  All  rights  reserved.  Infomnatica,  the  Informatica  logo,  and  The  Data  Integration  Company "  are  trademarks  or  registered  trademarks  of  Informatica  Corporation  in  the  U.S.  and  in  jurisdictions  throughout  the  world. 


J 

inBox 

move  to  the  areas  of  the  country  with  the 
most  inflated  real  estate  costs  while  ratch¬ 
eting  down  entry-level  salaries  by  global¬ 
izing  services.  This  doesn’t  happen  at  the 
CIO  level,  so  they  are  out  of  touch  with  the 
fact  that  it  no  longer  makes  business  sense 
to  go  into  IT  unless  you  go  directly  into  a 
director-level  position. 

Tangentially,  this  real  estate  “geolock” 
occurs  at  a  time  when  we  have  robust 
technology  to  promote  the  adoption  of 
remote  employees.  We  hear  all  the  politi¬ 
cal  rhetoric  about  high  gasoline  prices  and 
the  instability  they  cause  the  economy,  but 
neither  political  parties  nor  their  business 


members  make  mention  of  the  national 
economic  security  benefits  of  having  a 
more  virtual  workforce  that  isn’t  wast¬ 
ing  productive  time  and  precious  fuel 
to  commute  to  a  computer  that  they  can 
access  from  their  home  offices.  Also  not 
mentioned  are  the  untapped  “invisible” 
workforces,  such  as  unemployed  persons 
with  disabilities  who  can’t  afford  acces¬ 
sible  transportation  but  who  could  work 
with  assistive  technology-equipped  home 
offices,  if  CIOs  didn’t  write  them  off  com¬ 


pletely.  Or  is  it  that  CIOs  are  just  ignorant 
of  this  potential  resource? 

Also,  how  many  CIOs  make  use  of  stan¬ 
dards  like  HR-XMLs  to  determine  compe¬ 
tencies  and  support  assessment  in  college 
before  the  students  enter  the  job  market? 
Anyone  care  to  do  the  survey? 

Lastly,  maybe  it  isn’t  just  the  tech  can¬ 
didates  who  lack  the  business  savvy. 

ED  DODDS 

Strategist 

Conmergence 

IT  Metrics 

I  suspect  it  is  all  about  perception  [“Com¬ 
municating  IT’s  Value:  Tools  and  Tactics,” 
Aug.  1].  What  do  IT  and  marketing  have  in 
common?  The  difficulty  of  measuring  ROI. 
There  is  a  somewhat  vague  perception  that 
IT  and  marketing  are  necessary  and  make 
some  kind  of  contribution  to  the  bottom 
line,  but  quantifying  the  magnitude  of  that 
contribution  is  the  difficult  bit.  It  is  also  the 
important  bit.  To  what  degree  is  IT  neces¬ 
sary?  Maybe  we  need  better  metrics.  But 
what  do  we  measure?  Do  we  measure  dif¬ 
ferent  things  at  different  times?  Are  there 
acceptable  baselines  against  which  to  mea¬ 
sure?  How  long  do  we  measure  for?  How  do 
we  interpret  what  we  have  measured?  How 
do  we  value  what  we  have  measured? 

We  need  to  ask  fundamental  questions 
of  this  sort  if  we  want  IT  to  be  perceived 
as  a  consistent  and  stable  profit  center.  We 
can  then  leverage  this  credibility  to  create 
effective  partnerships  across  all  functional 
boundaries. 


Money  Matters 

Excellent  article  [“Show  Them  the 
Money,”  Aug.  IS]  and  very  inspiring.  There 
is,  of  course,  much  more  to  changing  the  IT 
organization  into  a  moneymaking,  entre¬ 
preneurial  operation  than  a  business- 
minded  CIO.  The  entire  culture  of  the  IT 
department  needs  to  be  realigned  from  a 
cost-saving  mentality  to  a  profit-making 
mentality,  and  this  implies  organizational 
change;  moreover,  it  implies  a  change  in  the 
organization’s  investment  planning  and 
budgeting  processes,  which  is  not  likely 
to  happen  without  endorsement  from  the 
very  top.  Still,  the  prospect  of  additional 
revenue  is  the  one  argument  the  CEO 
would  likely  react  to. 

SIMONA  LOVIN 

Program  Manager 

Pearson  Government  Solutions 


A.  SIRANJAN  KULATILAKE 

Line  of  Business  Technology  Executive 
Creative  Nexus  1356  LLC 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to  letters@ 
cio.com.  Letters  may  be  edited  for  length  or 
clarity.  For  a  link  to  the  articles  mentioned,  go 

to  www.cio.com/archive. 

cio.com 


Mike  Hugos  gave  me  the  hints  I  needed  to 
put  in  place  the  strategy  of  my  IT  organiza¬ 
tion.  It’s  true  that  most  of  the  time  we  focus 
on  cost  reduction,  but  this  is  not  always  the 
view  of  the  business.  “Making  more  money” 
is  the  business  language  we  need  to  use  to 
communicate  with  the  executives. 

EDUARDO  OTALORA 

CIO 

Soboce 


18  OCTOBER  1,  2006  |  www.cio.com 


txmwma) 


n  r  !r 


EMC®  Doeumentum®  content  management 


,  securing,  managing,  am 
je,  and  lower  costs. more  t 
e,  visit  software.EMC,com 


m 


■m/rl 


documentum 


jffiSfry? ;.^V/  i  ,\  '  ■*  ,:r- if*  , 
y'.', 

,  >  yrk  ■  \  >J& 

.  t  (VV  *1  ■  <  .  1  ,W'  ■  ■■ 


We  serve  7  of  the  top  7  global  automobile  manufacturers. 


We  serve  10  of  the  top  10  global  diversified  financial  institutions. 


We  serve  10  of  the  top  10  global  life  science  companies. 


From  strategy  through  execution,  we  collaborate  with  our  clients 
to  deliver  sustainable  success.  We  apply  our  broad  expertise 
and  practical  problem  solving  to  help  them  succeed  again  and  again 
We’re  BearingPoint,  management  &  technology  consultants. 


BearingPoint 


Management  &  Technology  Consultants 


CIO  wishes  to  acknowledge  the  2006  Editorial  Advisory  Board  members  for  their  ongoing 
guidance  and  reality  check  of  the  magazine’s  content  and  focus.  We  thank  them  for  their 
generosity  in  sharing  their  insight  into  the  world  of  IT  leadership. 


GREGOR  BAILAR 

CIO 

Capital  One 
Falls  Church,  Va. 


PAUL  J.  GAFFNEY 

EVP,  Supply  Chain 
Staples 

Framingham,  Mass. 


REBECCA  R.  RHOADS 

CIO 

Raytheon 
Lexington,  Mass. 


DOUG  BARKER 

CEO 

Barker  and  Scott  Consulting 
Washington,  D.C. 


ANDY  GEISSE 

CIO 

AT&T 

San  Antonio 


LARAINE  RODGERS 

President 

Navigating  Transitions 
Tucson,  Ariz. 


WAYNE  D.  BENNETT 

Partner 
Bennett  Law 
Wellesley,  Mass. 


JOHN  GLASER 

VP  &  CIO 

Partners  Healthcare 
Boston 


JAMES  F.  SUTTER 

I  Senior  Partner 
The  Peer  Consulting  Group 
Newport  Beach,  Calif. 


LARRY  BONFANTE 

CIO 

United  States  Tennis  Association 
White  Plains,  N.Y. 


SCOTT  HEINTZEMAN 

CIO 

Carlson  Marketing  Group 
Plymouth,  Minn. 


RICHARD  W.  SWANBORG  JR. 

President 

ICEX 

Boston 


SHEILA  DONAHOE 

CIO 

Bluegreen 
Boca  Raton,  Fla. 

MICHAEL  EARL 

Professor  of  Information 
Management,  Dean  of 
Templeton  College 
Oxford  University 
Oxford,  England 


C.  LEE  JONES 

Chairman,  President 
&CEO 

Essential  Group 
Gurnee,  Ill. 

SUSAN  S.  KOZIK 

EVP  &  CTO 
TIAA-CREF 
New  York  City 

BUD  MATHAISEL 

Corporate  VP  &  CIO 
Solectron 
Milpitas,  Calif. 

SHELEEN  QUISH 

Former  CIO 
U.S.  Can 
Lombard,  Ill. 


PATRICIA  WALLINGTON 

i  President 
j  CIO  Associates 
University  Park,  Fla. 

ROBERT  P.  WEIR 

VP,  Information  Services 
Northeastern  University 
;  Boston 

STEVE  WILLIAMS 

SVP&CIO 
j  Mattress  Giant 
:  Addison,  Texas 


i 


22  OCTOBER  1,  2006  |  www.cio.com 


SunGard  provides  uncommonly  strong  techniques  to 
keep  your  IT  systems  available.  You’re  always  in  control, 
with  a  broad  range  of  hosting  and  recovery  services  at 
your  command.  You’re  always  confident,  because 
SunGard’s  extensive  redundancy,  highly  experienced 
people,  and  100%  recovery  success  rate  are  working 
in  your  favor. 

With  access  to  some  of  the  industry’s  most  extensive 
IT  resources,  you’re  able  to  achieve  precise  levels  of 
Information  Availability  across  the  enterprise.  Prioritize 
the  availability  of  each  critical  application — from  “always 


on”  to  advanced  recovery — while  knowing  that  your 
solution  can  seamlessly  scale  as  your  business  evolves. 
To  the  exact  degree  you  demand.  At  the  exact  time 
you  need  it. 

You  set  the  levels,  we’ll  do  the  rest.  SunGard  keeps 
you  in  control  with  a  more  precise  approach  to 
Information  Availability. 

SUNGARD8  K^7Peof?e 

mm  mm*  and  Information 

Availability  Services  Connected 1™ 


-j 


BE  PREPARED.  FORA  FREE  COPY  OF  “SUNGARD'S  PANDEMIC  PREPAREDNESS  CHECKLIST” 
VISIT  WWW.AVAILABILITY.SUNGARD.COM/PANDEMIC  OR  CALL  1-800-468-7483. 


lose  customers 


CUSTOMERS 


WHATEVER  CHOICE  YOU  MAKE,  YOU’RE  TOAST. 


You  know  that  the  only  way  to  succeed  is  by  serving  your 
customers  better.  But  what  organization  can  afford  to 
throw  endless  dollars  at  improving  the  customer 
experience?  With  RightNow,  you  don’t  have  to  make  a 
deal  with  the  devil. 

RightNow  provides  a  breakthrough  solution  that  lets  you 
enhance  your  customer  experience  while  reducing  costs. 
By  delivering  knowledge  at  every  customer  touchpoint, 
RightNow  helps  you  grow  your  business,  one  customer 


experience  at  a  time.  We’ve  enabled  more  than  a  billion 
successful  customer  interactions  for  our  clients  in  every 
major  industry.  Chances  are,  we  can  help  you,  too. 

Find  out  why  RightNow  leads 
in  client  satisfaction.  Download 
your  free  executive  summary  of 
CRMGuru’s  Solutions  Guide  at 
www.rightnow.com/toast  or  call 
us  toll-free  at  1.877.363.5678. 


RIGHT 

NOW 


TECHNOLOGIES 


EDITED  BY  LAURIANNE  McLAUGHLIN 


NEW  *  HOT  *  UNEXPECTED 


Multicore  Chips 
Roil  Software 
Pricing  Waters 

software  The  growing  popularity  of  server  chips  with 
multiple  microprocessor  cores  continues  to  muddy  the  waters  of 
software  pricing:  CIOs  should  start  planning  now  for  changes  and 
perhaps  some  uncertainty  in  their  software  budgets. 

Enterprise  software  vendors  have  traditionally  priced  software 
per  processor.  But  now  that  some  server  processors  have  two  cores 
(and  soon  will  have  four  cores,  followed  by  8-  and  16-core  versions), 
one  processor  delivers  the  power  and  speed  of  several.  That  means 
customers  will  purchase  servers  with  fewer  processors  to  handle 
bigger  workloads— and  software  vendors  won’t  make  as  much 
money,  if  software  continues  to  be  priced  traditionally. 

To  compensate,  IBM  recently  announced  it  will  begin  charging 
for  software  based  on  how  fast  it  runs,  not  the  number  of  proces¬ 
sor  cores  on  which  it’s  running.  The  company  has  developed  a 
complicated  chart  to  show  how  it  will  price  software  for  different 
processors.  (See  details  at  “IBM  Introduces  Processor  Value  Unit 
Licensing,”  www.cio.  com/100106. ) 

As  the  basis  for  this  model,  IBM  created  a  new  license  pricing 
unit  called  the  “processor  value  unit.”  Continued  on  Page  26 


i 


Sprint’s  Next 
Leap  in  Wireless: 

WiMax 

wireless  Sprint  Nextel  has  given 
WiMax  technology  a  green  light;  becom¬ 
ing  the  first  major  U.S.  carrier  to  back 
WiMax  for  its  fourth-generation  (4G) 
wireless  data  network.  Sprint,  the  third- 
largest  U.S.  mobile  operator,  plans  to 
start  rolling  out  the  WiMax  network  in  late 
2007  and  hopes  to  reach  as  many  as  100 
million  people  with  the  service  by  the  end 
of  2008.  Offering  downstream  speeds  of 
2Mbps  to  4Mbps,  WiMax  promises  new 


power  for  bandwidth-hungry  applications 
like  mobile  videoconferencing  and  large 
enterprise  file  transfers. 

With  4G,  enterprises  will  be  able  to  buy 
guaranteed  throughput  from  a  carrier, 
something  they  can't  do  with  3G,  says  Tad 
Neeley,  an  analyst  at  Gemini  Partners.  For 
example,  if  a  company  paid  for  1.5Mbps 
upstream  and  downstream,  remote 
employees  could  count  on  that  speed  no 
matter  how  busy  the  network  was. 

Hardware  partners  Intel,  Motorola  and 
Samsung  Electronics  will  equip  notebook 
PCs  and  a  variety  of  mobile  devices  to  use 
Sprint’s  4G  network. 

The  4G  service  will  complement  Sprint 
Nextel's  3G  EV-DO  (Evolution-Data 


Optimized)  services,  executives  say.  The 
carrier  already  offers  video,  music  and 
other  multimedia  services  on  3G,  but  that 
technology  doesn't  deliver  the  economics 
Sprint  needs,  says  Barry  West,  Sprint's 
chief  technology  officer. 

WiMax  service  prices  will  meet  Sprint's 
frequently  stated  goal  of  offering  1GB  of 
data  per  month  for  less  than  $20:  "We  are 
significantly  south  of  that,"  West  says. 

Motorola  and  Samsung's  position  in  the 
device  market,  along  with  Intel's  market¬ 
ing  power,  will  make  this  a  turning  point 
for  WiMax,  says  IDC  analyst  Shiv  Bakhshi. 
"WiMax  was  in  need  of  a  major  player 
signing  on  to  it,"  he  says. 

-Stephen  Lawson 


PHOTO-ILLUSTRATION  BY  STEPHEN  WEBSTER 


www.cio.com  |  OCTOBER  1,  2006  25 


TRENDLINES 


Can  RUBIK'S 

Solve 

Business  Riddles? 


innovation  Companies  re¬ 
semble  puzzles:  Many  pieces  must  fit 
together  (like  staff,  products  and  pro¬ 
cesses)  in  order  to  produce  the  desired 
outcome  (profits).  When  a  company 
fails  to  solve  this  quandary,  or  takes  too 
long,  it  loses  out  to  craftier  competi¬ 
tors.  In  a  new  wrinkle,  researchers  are 
striving  to  help  companies  improve 
efficiency  by  studying  the  puzzle  of  all 
puzzles:  the  Rubik's  Cube. 

Armed  with  at  least  64  micropro¬ 
cessors  and  20  terabytes  of  space,  a 
professor  from  Northeastern  Univer¬ 
sity  in  Boston  will  try  to  do  just  that— 
by  recording  as  many  states  of  the 
Rubik's  Cube  as  possible.  The  project 
may  seem  like  a  fascination  with  one 
of  the  world's  most  popular  toys  gone 
awry,  but  it's  actually  a  complex  look 
at  how  better  operations  research 
could  improve  a  company’s  bottom 
line,  says  Gene  Cooperman,  director 
of  the  Institute  for  Complex  Scientific 


Software  at  Northeastern,  who  is 
spearheading  the  project. 

“I’ve  never  solved  a  Rubik's  Cube," 
Cooperman  says.  “It’s  not  one  of  my 
personal  hobbies.  But  if  you  can  take 
the  more  obscure  research  and  apply 
it  to  something  the  public  recognizes, 
then  it’s  definitely  worth  doing." 

Cooperman  says  the  Rubik's  Cube 
has  about  40  quintillion  possible  states 
(Think  beyond  billions:  That’s  40  fol¬ 
lowed  by  19  zeros.)  He  believes  the 
20  terabytes  of  storage  (for  which  his 
department  was  given  a  $200,000 
grant  from  the  National  Science  Foun¬ 
dation  to  aid  various  research  projects, 
including  his)  will  not  be  enough  to 
record  all  the  states  of  the  Rubik's 
Cube.  Even  so,  he  says  the  myriad 
combinations  the  research  will  yield 
could  help  businesses  make  smarter 
operational  decisions,  such  as  plan¬ 
ning  more  efficient  employee  travel 
schedules.  -C.G.  Lynch 


From  One  to  Watch  to  C 1 0 


career  Can  we  pick  a  winner  or  what?  Robert  Worrall,  one  of  the  up- 
and-coming  IT  professionals  named  in  CIO's  2006  “Ones  to  Watch"  (see 
"20  Leaders  to  Watch,"  www.cio.com/070106 ),  became  CIO 
at  Sun  Microsystems  in  July.  Previously  vice  president  of  IT, 
Worrall  has  handled  operations  and  application  support, 
development,  and  architecture  issues  for  Sun.  He  also 
created  Sun’s  IT  governance  department. 

Just  before  he  was  promoted,  Worrall  told  CIO's  Steff 
Gelston  what  he  thinks  it  takes  to  be  a  successful  CIO: 

“It’s  the  long-forgotten  skill  of  listening.  I  get  frustrated 
by  the  fact  that  most  IT  people,  including  CIOs,  rush  to 
solutions  generally  involving  technology  of  some  sort. 
When  in  fact  a  good  mentor  of  mine  years  ago  said,  ‘Just  set 
the  technology  aside  and  listen  to  what  your  business 
partner  is  really  asking.  And  if  it  turns  out  in  the 
final  analysis  that  technology  can  help,  that’s 
great.  But  that’s  not  your  first  job.  Your  first 
job  is  to  help  solve  a  business  problem  or 
a  business  situation.”' 


Continued  from  Page  25 


IBM  will  set  software  prices  using  this 
scheme  beginning  with  the  release  of  Intel’s 
upcoming  quad-core  Xeon  server  proces¬ 
sor,  expected  to  be  available  later  this  year. 

Oracle  unveiled  its  own  multicore  pric¬ 
ing  plan  in  July  2005.  Oracle’s  method 
defines  each  processor  core  on  a  multicore 
chip  as  .25  to  .75  of  a  processor,  depending 
on  the  type. 

However,  Microsoft  hasn’t  hopped  on 
this  train  yet;  Microsoft  says  it  will  con¬ 
tinue  to  charge  per  processor  for  software, 
not  per  core  or  using  a  performance-based 
method.  This  gives  the  software  giant  a 
slight  edge  over  competitors,  analysts  say, 
because  customers  gain  cost  consistency. 

Forrester  Research  analyst  Julie  Giera 
says  she  expects  to  see  not  only  confusion 
but  also  frustration  among  customers  in 
the  next  six  to  12  months  as  software  pric¬ 
ing  continues  to  be  “fluid”  due  to  the  grow¬ 
ing  prevalence  of  dual-core  and  multicore 
servers. 

CIOs  should  look  for  verification  from 
vendors  that  existing  projects,  especially 
those  involving  server  consolidation,  will 
continue  to  have  the  same  cost  structure  as 
when  they  began,  Giera  advises. 

As  the  software  pricing  changes  begin 
to  take  effect,  CIOs  should  start  new  con¬ 
solidation  projects  with  care  since  they 
may  not  be  as  cost-effective,  she  adds. 
“Server  consolidation  projects  that  may 
have  generated  20, 25  percent  savings  six 
months  ago  may  not  be  generating  those 
same  kinds  of  saving  in  the  next  six  to  12 
months,”  she  says. 

Another  strategy:  More  CIOs  may  want 
to  consider  using  open-source  software  as 
an  alternative  to  commercial  software  dur¬ 
ing  the  transition  period,  Giera  says. 

Finally,  you  may  need  to  rework  your 
calendar.  Steve  Acterman,  director  of  cor¬ 
porate  IT  for  Volt  Information  Sciences 
in  New  York  City,  says  he’ll  build  in  more 
time  to  research  and  negotiate  software 
contracts  for  projects.  “It  will  take  more 
effort,  energy  and  lead  time  to  nail  those 
down,”  he  says.  - Elizabeth  Montalbano 


26  OCTOBER  1,  2006  |  www.cio.com 


PHOTO  BY  ASA  MATHAT 


THE  NEW  STORAGEWORKS  ALL-IN-ONE  STORAGE  SYSTEM. 
NO  STORAGE  EXPERT  REQUIRED. 

With  the  HP  StorageWorks  All-in-One  Storage  System,  setting  up  and 
moving  your  data  takes  less  than  10  clicks— no  storage  expertise  required. 
An  intuitive  interface  eliminates  storage  complexity  by  making  managing 
data  equally  simple,  while  an  HP  support  team  is  only  a  phone  call  away. 
Integrated  file  serving,  application  data  storage  and  data  protection  make 
for  a  true  all-in-one  system.  So  now  just  about  anyone  can  install  and 
manage  network  storage.  And  with  a  price  starting  at  $4999,  just  about 
anyone  can  afford  it. 


HP  STORAGEWORKS  400  ALL-IN-ONE 
STORAGE  SYSTEM 


$4999  mmm 

■  Dual-Core  Intel®  Pentium®  D  Processor  930 
(3.0GHZ/800) 

■  1 TB  storage  (4x250  GB  SATA,  hot  plug) 

■  (2)  PCI-X  64-bit  133  MHz  expansions  slot 

■  Microsoft®  Windows  Storage  Server™  2003  R2  and 
iSCSI  Software  Target 

■  Hardware  RAID  controller 


To  learn  more  about  how  HP  has  revolutionized  network  storage, 

Click  hp.com/go/allinonestorage2 

Call  1-800-888-0137 

Or  find  a  reseller  at  hp.com/go/ reseller 


Prices  shown  are  HP  Direct  prices;  reseller  and  retail  prices  may  vary.  Prices  shown  are  subject  to  change  and  do  not  include  applicable  state  and  local  taxes  or  shipping  to  recipient's  address.  ©2006  Hewlett- 
Packard  Development  Company,  L.P.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  Intel,  Intel  logo,  Intel  Inside,  Intel  Inside  logo  and  Intel 
Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries. 


TRENDLINES 


energy  As  the  price  of 
running  a  data  center  contin¬ 
ues  to  rise,  researchers  inves¬ 
tigate  novel  ways  to  cut  two  of 
the  top  costs:  administrative 
and  energy  expenses.  Carne¬ 
gie  Mellon  University  created 
the  Data  Center  Observatory 
to  find  techniques  to  trim  the 
bills  for  both.  Human  costs 
(such  as  staffing,  trouble¬ 
shooting  and  maintenance) 
represent  the  largest  ticket 
item,  says  Greg  Ganger,  pro¬ 
fessor  at  Carnegie  Mellon  and 


director  of  the  Parallel  Data 
Center,  one  of  the  university 
groups  working  on  the  obser¬ 
vatory  effort.  Also,  cooling 
costs  add  up  quickly:  In  its 
lifetime,  a  data  center  can  cost 
four  to  seven  times  more  than 
the  equipment’s  original  price 
tag,  Ganger  says. 

In  one  part  of  the  research, 
the  observatory’s  servers  will 
be  cooled  with  a  new  kind  of 
system  from  American  Power 
Conversion  (APC),  a  major 
corporate  partner  for  the 


project.  Unlike  a  traditional 
cooling  approach,  where 
you’d  cool  the  entire  area 
where  servers  reside,  APC’s 
system  sections  off  large 
parts  of  the  room  with  special 
plastic  walls  so  that  only  the 
immediate  area  near  the  hot 
side  of  servers  (where  they 
vent  out)  needs  cooling.  (To 
learn  more  about  managing 
data  center  energy  costs,  read 
“Powering  Down,”  at  www.cio 
.com/041506.) 

In  order  to  reduce  data 


Users  Say  PCs  Are  Like  :DSELS 


center  staffing  expenses,  the 
observatory  will  study  exactly 
how  data  center  employees 
spend  their  time— an  area 
that’s  not  well  understood 
today,  Ganger  says.  Research¬ 
ers  will  use  the  information 
to  develop  algorithms  to 
automate  more  tasks. 

The  observatory’s 
researchers  will  also  try  to 
automate  hardware  trouble¬ 
shooting,  to  save  employees 
time.  But  this  development 
job  will  be  tough,  says 
Granger,  who  characterizes  it 
as  a  “long-range  challenge.” 
It’s  a  hard  problem  to  solve 
because  of  the  sheer  number 
of  components  and  settings 
in  a  data  center  that  can  mal¬ 
function.  Plus,  computers 
aren’t  inherently  intuitive  or 
creative  about  searching  for 
sources  of  trouble,  he  says. 

-Diann  Daniel 


customer  care  Customer  satisfaction 
with  PC  makers  rose  by  4  percent  this  year— but 
these  companies  still  give  customers  a  rough 
ride,  according  to  the  American  Consumer  Sat¬ 
isfaction  Index  (ACSI),  a  prominent  study  done  yearly 
by  the  University  of  Michigan.  On  average,  PC  makers  rated  only 
as  well  as  the  lowest-ranking  car  manufacturer,  the  newest  study 
shows.  “Imagine  if  automobiles  had  the  same  reliability  as  PCs," 
says  Claes  Fornell,  a  professor  at  the  university’s  Ross  School  of 
Business.  “Think  about  what  the  highways  would  look  like.” 

Apple's  customers  remain  the  happiest  in  the  bunch,  but  sat¬ 
isfaction  improved  for  every  hardware  vendor  the  survey  covers, 
including  Compaq,  Dell  and  Gateway.  In  one  promising  sign,  Dell’s 
score  went  up  by  5  percent  compared  with  last  year,  partly  thanks 
to  improvements  to  its  call  center,  Fornell  says. 

PC  vendors  are  slowly  learning  that  excellent  customer  ser¬ 
vice  (not  just  low  prices)  sets  them  apart,  says  Fornell.  For  years, 
the  weakest  part  of  the  auto  industry  was  service,  and  this  took 


decades  to  improve,  he  says.  PC  makers  will  get 
there  quicker,  he  predicts. 

Meanwhile,  customer  satisfaction  with 
search  engines  has  been  improving  since  it 
was  first  measured  in  2002,  according  to  ForeSee 
Results,  an  online  satisfaction  measurement  firm  that  cospon¬ 
sored  and  wrote  the  ACSI  study.  Google  rates  as  the  big  winner 
with  customers:  More  than  40  percent  of  all  searches  occur  on 
Google,  according  to  this  research— more  than  Yahoo  and  MSN 
searches  combined. 

The  ACSI  study  shows  that  MSN  doesn’t  differentiate  itself  and 
Yahoo  offers  too  many  options,  says  Larry  Freed,  president  and 
CEO  of  ForeSee.  “When  you  try  to  be  everything  to  everyone,  you 
fail,"  he  says.  One  search  site  that  has  found  the  right  mix,  Freed 
says,  is  Ask.com  (formerly  Ask  Jeeves).  Small  design  updates 
and  new  functions  like  encyclopedia  search  and  mapping  tech¬ 
nology  make  Ask  a  competitor  to  watch,  he  says. 

-Margaret  Locher 


28  OCTOBER  1,  2006  |  www.cio.com 


PHOTO  TOP  BY  G  ALBERT/ ISTOCK PHOTO:  PHOTO  BOTTOM  COURTESY  OF  EDSEL.COM 


s  of  Mercury 


Corporation  and  may  be  registered 
lanaging  IT  Business  Risk,  2006 


©  2006  Mercury  Interactive  Corporation.  All  rights  reservr 
in  certain  jurisdictions.  All  other  company,  brand  and  g 


Research  shows  that  half  of  I.T.  projects  fail1,  and 
explaining  failure  is  never  fun.  So  unless  you  enjoy 
getting  called  on  the  carpet  half  the  time,  listen  up. 
It's  time  to  change  your  odds.  And  Mercury  can  help. 

Mercury  offerings  reduce  the  risk  of  complex 
service  oriented  architecture  (SOA)  deployments. 
Using  a  unique  lifecycle  approach  to  SOA,  Mercury 
provides  you  everything  you  need,  from  a  registry/ 
repository  and  SOA  governance,  to  SOA  quality  and 
performance  testing,  as  well  as  solutions  to  manage 


SOA  services  in  production. 

So  call  us  or  visit  our  site  to  learn  more.  Mercury’s 
business  technology  optimization  software  and 
services  can  help  you  manage  I.T.  to  deliver  the 
kind  of  results  you’ll  be  happy  to  explain. 

MERCURY 

BUSINESS  TECHNOLOGY  OPTIMIZATION 

Visit  www.mercury.com/soa/cio  or  just  call  866.379.7711 

•  .  ‘  •  •  J:. 

v.  .  4  .«*,«  •  X 

•  •  H 


TRENDLINES 


Indian  IT  Services 
Giants  Seek  U.S.  Staff 


staffing  In  the  1990s, 
Japanese  carmakers  includ¬ 
ing  Honda,  Nissan  and  Toyota 
rapidly  added  American 
employees  to  their  work¬ 
force.  Now  Indian  IT  services 
companies  are  following  suit 
in  order  to  hire  top  talent 
globally  and  better  integrate 
into  the  U.S.  corporate  land¬ 
scape.  While  they're  mainly 
adding  employees  in  the 
United  States,  these  firms  are 
also  sending  an  increasing 
number  of  new  hires  to  do 
extended  stints  in  India. 

For  people  like  Andy  Key- 
ser,  previously  CIO  for  the 
Pennsylvania  Department  of 
Corrections,  the  trend  cre¬ 
ates  opportunities  for  broader 
business  exposure  and  the 
chance  to  join  a  fast-growing 
organization.  Keyser,  who 
continues  to  live  in  the  United 


ment  practice  of  Tata  Consul¬ 
tancy  Services  (TCS),  India's 
largest  IT  services  company. 
"It  is  a  very  flat  organization," 
Keyser  says,  compared  with 
the  complex  organization 
charts  of  most  American  IT 
services  companies. 

Headquartered  in  Mumbai, 
TCS  already  employs  600 
Americans— and  expects  to 
add  another  1,000  staffers 
across  its  50  offices  in  the 
United  States  within  a  year, 
says  Surya  Kant,  president  of 
TCS  America.  In  particular, 
TCS  seeks  business  consul¬ 
tants,  software  engineers  and 
new  MBAs  for  its  financial  ser¬ 
vices,  health-care,  media  and 
government  practices. 

Indian  IT  services  company 
Infosys  has  an  aggressive 
U.S.  college  recruitment 
program  in  place,  says  Bik- 
ramjit  Maitra,  VP  and  head  of 
human  resources.  “We  visited 
61  engineering  and  liberal 
arts  colleges  across  the  U.S. 
and  plan  to  have  300  new 
hires  join  us  shortly,"  Maitra 
says.  Most  new  U.S.  hires 
spend  four  months  training 
in  Mysore,  India,  about  100 
miles  from  Infosys  head¬ 
quarters  in  Bangalore. 

Partly  due  to  the  chance 
for  quick  career  advance¬ 
ment,  Indian  IT  services  firms 
are  luring  recruits  such  as 
23-year-old  Scott  Stapleton, 
who  went  to  Infosys’s  Ban¬ 
galore  headquarters  after 
graduating  from  Georgetown 
University.  "The  future  of 
the  global  economy  is  trans¬ 
national  jobs  like  mine,”  he 
says.  -Gunjan  Bagla 


Business 
Alignment: 

Find  the  Right 
Metrics 

MANAGEMENT  REPORT 

If  your  IT  metrics  do  not  align  closely 
with  business  goals,  you’re  less  likely 
to  achieve  top  performance.  Yet  CIOs 
struggle  to  fashion  those  metrics:  A 
recent  global  survey  of  150  CIOs  by 
Accenture  found  that  top  performers 
base  IT  investment  decisions  on  their 
ability  to  drive  the  business  forward,  but  few  companies  have 
created  the  metrics  to  help  them  do  it.  Seventy-five  percent  of 
companies  surveyed  recognize  the  need  for  such  metrics,  but 
only  33  percent  currently  use  them,  the  consultancy  found. 

The  high  turnover  rate  among  CIOs  contributes  to  the  prob¬ 
lem,  says  Frank  Modruson,  currently  in  his  fourth  year  as  CIO  of 
Accenture.  “IT  takes  time  to  change,  and  if  the  leader  is  changing 
too  frequently,  it’s  hard  to  successfully  implement  a  program,” 
he  says. 

Modruson  says  that  CIOs  must  create  metrics  that  show  the 
business  how  IT  is  meeting  its  needs,  in  “digestible  and  under¬ 
standable”  terms. 

Measure  IT’s  overall  performance  using  a  scorecard,  he  sug¬ 
gests.  This  should  cover  IT’s  contribution  to  the  business,  project 
sponsor  and  employee  satisfaction,  and  IT  spending  on  operating 
costs  versus  new  technology  investments. 

Another  best  practice:  Create  a  business  case  for  each  IT 
initiative,  highlighting  costs,  benefits  and  business  processes  to 
be  affected,  he  says.  Then  IT  needs  to  report  on  the  initiative.  At 
Accenture,  Modruson’s  IT  team  measures  the  results  of  a  project 
for  three  years  after  completion,  highlighting  achievements  and 
pointing  out  hard  and  soft  benefits.  “This  shows  us  where  IT  is 
strong,  where  it  is  weak  and  where  [we]  should  be  investing,” 
he  says. 

The  highest-performing  companies  in  the  study  (as  measured 
by  33  criteria  such  as  effectiveness  of  skills  management  and 
leadership  in  technology  innovation)  were  more  willing  to  invest 
in  new  technologies,  such  as  SOA  and  Web  portals.  They  were 
also  more  likely  to  throw  out  rather  than  tweak  applications  that 
didn’t  meet  business  needs,  Modruson  says.  -Katherine  Walsh 


30  OCTOBER  1,  2006  |  www.cio.com 


PHOTO-ILLUSTRATION  BY  STEPHEN  WEBSTER;  PHOTO  TOP  BY  ANDY  HILL 


INNOVATIONS  IN 


/ - \ 

Florida  Guardian  ad  Litem  Saw  the  Future  of  Child  Advocacy. 

Citrix  Provided  Access. 


“Custody  rulings.  Foster  care.  Adoptions.  Our  founding  vision  was  to  give  every  abused 
and  neglected  child  in  Florida  a  strong  advocate  in  court.  Two  years  later,  we’re  well  on 
our  way.  Today,  program  staff,  attorneys  and  over  5,000  volunteers  represent  more 
than  27,000  children.  Instead  of  information  in  file  drawers  scattered  all  over  the  state, 
Citrix  software  gives  advocates  secure  access  to  our  case  management  system  from 
anywhere.  Resources  are  precious,  so  we  must  apply  them  wisely,  not  waste  time 
chasing  data.  These  kids  depend  on  us.  That’s  why  we’re  depending  on  Citrix  to  take 
us  the  rest  of  the  way  to  advocate  for  every  Florida  child  in  need. " 


JOHNNY  C.  WHITE 

CIO 

Florida  Guardian  ad  Litem  Program 


J 


Access  your  future  today  at 
citrix.com. 


©2006  Citrix  Systems,  Inc.  All  rights  reserved.  Citrix®  is  a  trademark  of  Citrix  Systems,  Inc. 
and/or  one  or  more  of  its  subsidiaries,  and  may  be  registered  in  the  United  States  Patent 
and  Trademark  Office  and  in  other  countries.  All  other  trademarks  and  registered 
trademarks  are  the  property  of  their  respective  owners. 


CITRIX 


TRENDLINES 


Brits  Demand  Keys  to 
Unlock  Your  Data 


data  security  The  U.K.  government  may  soon  activate  a  law  that 
would  compel  a  person  to  provide  encryption  keys  or  make  scrambled  data 
intelligible  upon  demand  by  authorities,  or  face  jail  time.  The  move  follows 
British  police  complaints  that  increasingly,  PCs  containing  encrypted  data  are 
stalling  investigations  in  areas  such  as  child  pornography. 

In  2000,  Parliament  passed  the  Regulation  of  Investigatory  Powers  Act 
(RIPA),  updating  how  law  enforcement  should  conduct  covert  surveillance 
and  wiretapping  in  light  of  new  communications  technologies. 

But  the  government  didn’t  activate  a  part  of  the  law  dealing  with  encryp¬ 
tion— because  it  wasn’t  widely  used  at  the  time,  according  to  the  Home  Office. 
However,  the  government  recently  made  an  exception.  As  part  of  antiterror¬ 
ism  legislation  approved  in  April,  suspects  in  national  security  cases  could 
face  five  years  in  prison  for  failing  to  disclose  an  encryption  key. 

Under  RIPA,  suspects  may  receive  up  to  two  years  in  prison  for  cases  out¬ 
side  national  security.  But  the  legislation  has  worrisome  aspects,  security 
experts  say.  High-ranking  military,  police  and  customs  officials  could  demand 
keys  without  a  court  warrant. 

Multinational  corporations  may  be  nervous  about  storing  encryption  keys 
in  that  kind  of  climate,  says  Richard  Clayton,  a  security  expert  at  the  University 
of  Cambridge  in  Cambridge,  England.  “There  is  a  case  for  a  power  to  ask  for 
decryption,”  he  says.  But  “almost  everybody  charged  with  this  offense  is  going 
to  say  ‘I  forgot  the  key,’  and  frankly,  a  jury  is  going  to  believe  them,”  he  adds. 

-Jeremy  Kirk 


How  to  Move  to  a  New  Industry 


on  the  move  Opinder Bawa 's 

nearly  yearlong  effort  to  move  into  the 
health-care  industry  wasn’t  easy.  Bawa, 
a  child  of  Silicon  Valley  who  had  worked 
exclusively  for  technology  firms  until  last 
February,  found  himself 
pigeonholed  as  a  high-tech 
exec.  Recruiters  and  hir¬ 
ing  managers  couldn’t  see 
past  his  lack  of  health-care 
experience.  To  overcome 
that  handicap,  the  former 
CTO  of  the  SCO  Group 
took  on  some  consulting 
assignments  to  learn  about 
the  field,  versed  himself  in 
electronic  medical  records 
and  other  health-care  IT 
systems,  and  figured  out 


Opinder  Bawa 


Robert  Urwiler 


ways  to  demonstrate  how  he  could  apply 
his  previous  experience.  Eventually, 

Bawa,  42,  was  offered  a  job  as  CTO  of  the 
private,  nonprofit  Boston  Medical  Center. 

As  Bawa  found,  switching  industries— 
even  among  highly  specialized 
ones— is  no  longer  impossible, 
says  Carl  Gilchrist,  leader  of  the 
North  American  CIO  practice  at 
recruiting  firm  Spencer  Stuart. 
"CIOs  are  being  hired  for  their 
leadership,  business  skills  and 
ability  to  execute.  If  you  can  do 
all  three  of  those  things  well 
and  you  have  board  presence, 
you  can  cross  industries  for  the 
most  part,"  he  says.  Of  the  last 
50  CIO  placements  his  firm  has 
made,  half  came  from  outside 


the  hiring  industry,  he  says. 

Among  the  CIOs  who've  transitioned 
into  new  industries  recently  are: 

■  Robert  Urwiler,  the  former  senior 
VP  and  CIO  of  Macromedia  and  Per¬ 
egrine  Systems,  joined  Vail  Resorts  as 
senior  VP  and  CIO  in  August. 

■  Harold  Hampton  left  newspaper 
publisher  Knight  Ridder  to  become  SVP 
of  technology  and  operations  at  Rollover- 
Systems,  a  provider  of  outsourced  retire¬ 
ment  plan  rollover  services,  in  July. 

*  The  city  of  Boston  announced 
William  Oates,  former  CIO  of  Starwood 
Hotels,  as  its  new  CIO  in  June. 

■  Construction  firm  HBE  hired  Scott 
Berlinger  as  its  new  CIO  from  a  debt 
collection  company  in  June. 

-Meridith  Levinson 


cio.com 

■i 


Read  Meridith  Levinson’s  MOVERS  AND  SHAKERS  blog  for  the  latest  moves.  Find  it  at  blogs.cio.com. 


32  OCTOBER  1,  2006  |  www.cio.com 


ILLUSTRATION  BY  JOHN  TEATE  &  TOM  MARVIN 


With  NEC’s  fault  tolerant  servers  achieving  up  to  99.999% 


uptime,  only  those  authorized  to  access  your  building  will  gain 
access  to  your  building.  NEC’s  proven  track  record  as  a  global 
technologies  leader,  combined  with  30  years  of  research  and 
development  experience  in  the  security  technologies  field, 
offers  much-needed  assurance  in  today's  increasingly  unsure 
times.  Continuous  security  monitoring  solutions.  It’s  one  more 
way  NEC  empowers  people  through  innovation. 

—  www.necus.com/security 


IT  SERVICES  AND  SOFTWARE  ENTERPRISE  NETWORKING  AND  COMPUTING  SEMICONDUCTORS  IMAGING  AND  DISPLAYS 


NEC 


©NEC  Corporation  2006.  NEC  and  the  NEC  logo  are  registered  trademarks  of 
NEC  Corporation.  Empowered  by  Innovation  is  a  trademark  of  NEC  Corporation. 


Empowered  by  Innovation 


TRUST. 


At  Perot  Systems,  earning  our 
clients'  trust  is  not  just  a  goal  —  it 
is  what  distinguishes  us  in  our 
industry.  With  a  global  network  of 
more  than  18,000  associates,  and 
a  deep  portfolio  of  consulting, 
applications,  business  process,  and 
IT  infrastructure  services,  we  are 
trusted  by  organizations  around 
the  globe  for  solutions  that  help 
control  costs,  optimize  efficiency, 
and  cultivate  growth. 

Discover  how  Perot  Systems  can 
help  lift  your  business  to  new 
heights.  Call  us  at  1  888  317  3768, 
or  visit  www.perotsystems.com. 

For  tips  on  building  greater  trust, 
download  our  popular  white  paper 

"Avoiding  the  Seven  Deadly  Sins  of 
Outsourcing  Relationships"  at 

www.perotsystems.com/thoughtleadership. 


ESSENTIAL 


FROM  INCEPTION  TO  IMPLEMENTATION  — I. T.  THAT  MATTERS 


Edited  by  Laurianne  McLaughlin 
lmclaughlin@cio.com 


Bendable 
displays? 
Mind-reading 
PCs?  Some 
futuristic 
technologies 
are  closer  to 
fact  than 
fiction. 


Sci-Fi  Tech 

BY  MICHAEL  FITZGERALD 

CUTTING  EDGE  |  Today  s  science  fiction  often  becomes  tomorrow’s  reality.  Science 
fiction  writers  presaged  flight,  nuclear  weapons,  cyberspace  and  computer  viruses,  among 
other  changes.  “It’s  good  for  CIOs  to  read  science  fiction,”  says  Paul  Saffo,  a  Silicon  Valley 
technology  forecaster.  Read  what  your  new  hires  are  reading,  he  says,  “and  you’ll  get  a 
sense  of  what  they’ll  want  to  build  when  they’re  middle  managers.  You’ll  also  relate  to 
them  better,”  he  says.  Thinking  a  little  more  tactically,  should  any  sci-fi  technology  ideas 
be  on  your  radar  now?  Check  out  these  five  visions  that  are  moving  into  the  real  world. 

Roll-Up  Displays 

Why  they're  cool:  Resize  at  will. 

What  CIOs  could  love:  Reduced  eye  strain,  saved  desk  space. 

Displays  offer  fertile  ground  for  imagination:  Just  envision  miniature  flat  panels  that  you 
could  slap  on  objects  as  if  they  were  stickers,  for  instant  displays.  On  a  more  practical 
level,  wouldn’t  it  be  nice  to  have  a  way  to  instantly  make  your  cell  phone  display  bigger? 

This  would  probably  involve  building  a  display  that  could  bend  or  even  roll  up.  That  last 
concept  might  seem  completely  outlandish— displays  consist  of  glass  and  other  substances 
no  more  inclined  to  bend  than  the  typical  CEO.  Yet  such  displays  have  been  demonstrated 


ILLUSTRATION  BY  GARY  NEILL 


www.cio.com  |  OCTOBER  1,  2006  35 


essential  technology 


by  the  likes  of  Philips  and  Xerox  and  might 
not  be  far  away  from  market. 

A  typical  flat-panel  display  features  sev¬ 
eral  layers,  including  a  glass  substrate  with 
a  transistor  backplane  that  includes  semi¬ 
conductor,  insulating  and  metal  layers.  A 
liquid  crystal  is  sandwiched  between  this 
and  a  color  filter  layer.  To  make  a  display 
bend,  you  need  more  flexible  materials, 
such  as  plastic  in  place  of  glass,  and  in 
some  cases,  organic  semiconductors. 

Such  materials  form  the  basis  of  proto¬ 
type  2-  to  4-inch  displays  that  have  been 
built  for  the  U.S.  military  by  Universal 


Display,  L3  and  Xerox’s  PARC  subsidiary. 
These  displays— made  on  stainless  steel 
foil— curve  around  the  wrist  for  improved 
mobility. 

Meanwhile,  Philips  and  PARC  have  both 
demonstrated  flexible  displays,  some  made 
using  printer- style  jet  arrays,  for  use  with 
cell  phones  and  other  handhelds.  Robert 
Street,  a  PARC  senior  research  fellow,  says 
that  the  company’s  jet-printed  arrays  and 
Tollable  displays  are  in  early  prototype 
stages— mostly  because  of  manufacturing 
challenges  and  the  need  to  develop  manu¬ 
facturing  equipment. 

Cognitive  Radio 

Why  it’s  cool:  Makes  smarter  use  of 
wireless  spectrum. 

What  CIOs  could  love:  Faster  and  more 
reliable  wireless  networks. 

There’s  plenty  of  unused  wireless  spec¬ 
trum  out  there  that  corporate  nomads 
would  love  to  utilize.  Yet  it  isn’t  available 
to  clogged  parts  of  the  spectrum.  Cogni¬ 
tive  radio— using  software  algorithms 
that  help  it  immediately  find  an  open 
spectrum  anytime  the  normal  frequency 
is  filled— could  solve  the  problem.  Cogni¬ 
tive  radio  could  produce  a  faster  and  more 


reliable  wireless  network  than  today’s, 
creating  higher  bandwidth  by  adapting 
to  spectrum  conditions. 

For  instance,  the  cellular  network  sees 
heavy  usage  during  commuting  hours, 
and  more  calls  might  be  completed  if  cell 
phones  could  just  jump  outside  the  allot¬ 
ted  spectrum  at  those  times. 

Spread-spectrum  technologies  already 
exist  in  wireless  communications,  rout¬ 
ing  packets  in  novel  ways.  Triband  cel¬ 
lular  phones  that  automatically  switch  to 
new  network  technologies  show  how  cog¬ 
nitive  radios  might  function,  as  do  phones 


that  automatically  switch  from  a  cellular 
network  to  a  Wi-Fi  network. 

“The  basic  core  technology  exists  to  do 
cognitive  radio— we  know  what  the  algo¬ 
rithms  are  and  how  to  implement  them,” 
says  Krishnamurthy  Soumyanath,  direc¬ 
tor  of  Intel’s  Communications  Circuits 
Laboratory. 

But  real  cognitive  radio  is  not  yet  ready 
for  the  real  world.  A  practical  problem  is 
power  consumption— hopping  between 
spectra  requires  more  power  than  mobile 
devices  have  to  spare.  Soumyanath  thinks 
the  power  problem  will  keep  full-fledged 
cognitive  radio  from  reaching  the  market 
before  2010. 

Magnetic  Memory 

Why  it’s  cool:  Uses  the  spin  state  of 
electrons  to  store  data. 

What  CIOs  could  love:  Fast  speed, 
low  power  requirements. 

Quantum  computing— the  idea  that  PCs 
could  use  quantum  mechanics  to  move 
beyond  today’s  system,  where  every  bit 
of  data  holds  a  0  or  1  value,  to  a  system 
where  bits  could  hold  an  unlimited  num¬ 
ber  of  values— is  still  far,  far  in  the  future. 
But  elements  of  it  are  emerging  now. 


RayKurzweil: 
What’s  Next 

Ray  Kurzweil’s  vision  of  the  future 
is  radically  different  from  today— his 
book  The  Singularity  Is  Near  spells 
out  a  prediction,  among  others,  of  our 
future  as  cyborgs.  He  spoke  with  CIO 
about  sci-fi  changes  that  he  imagines 
within  two  decades.  Good  news:  He 
says  your  CIO  job  isn't  going  away. 

“In  the  second  decade  of  this  cen¬ 
tury,  we’ll  have  full  immersion  virtual 
reality,  as  if  you  and  I  were  sitting  with 
each  other.  So  we’ll  be  able  to  visit 
with  each  other,  either  in  large  meet¬ 
ings  or  Internet  encounters,  in  this 
way  pretty  ubiquitously. 

"It’s  already  coming.  I  give  about  a 
third  of  my  speeches  using  a  virtual 
reality  technology  called  Teleportec.  It 
appears  to  the  audience  that  I’m  there, 
and  I  can  move  around,  I’m  life-size, 

I’m  high-resolution.  It  looks  like  I’m 
there,  people  have  been  fooled.  And  I 
can  see  them  and  point  at  people  and 
establish  eye  contact. 

“Also  in  the  second  decade,  com¬ 
puters  will  disappear  as  physical 
objects.  We  won’t  be  carrying  around 
these  rectangular  displays.  They’ll 
be  built  into  our  glasses  and  written 
to  our  retinas.  The  electronics  will 
be  in  your  clothing  or  your  belt,  we’ll 
be  online  all  the  time  with  very  high 
bandwidth  communication.  We’ll 
have  to  work  out  some  way  to  com¬ 
municate  to  the  system,  but  it’ll  have 
good  speech  recognition. 

“Will  we  still  need  CIOs?  CIOs  are 
very  well-positioned,  if  you  take  a 
broad  view  of  information  as  I  do. 
Everything  of  importance  is  informa¬ 
tion.  Even  if  you’re  a  steel  company 
it’s  the  information  the  executives 
deal  with  and  need  access  to.  So 
managing  information  is  going  to  be 
where  it's  at.” 

-Michael  Fitzgerald 


Cognitive  radio  could  produce  a  faster  and 
more  reliable  wireless  network  than  today’s, 
creating  higher  bandwidth  by  adaptingto 
spectrum  conditions. 


36  OCTOBER  1,  2006  |  www.cio.com 


.INFRASTRUCTURE  LOG 


_DAY  18:  Everything  is  frozen.  It’s  our  processes. 
They’re  inflexible.  We  can’t  respond  to  change. 

_Why  did  we  lock  ourselves  in  like  this?  Brrrr. 

_DAY  19:  A  way  out.  IBM  WebSphere  middleware  for 
Business  Process  Management.  It  lets  us  streamline 
business  tasks.  We  can  test  our  processes  before  we 
roll  them  out  and  monitor  performance  once  they’re 
deployed,  and  reuse  is  easy  because  it’s  based  on  a 
service  oriented  architecture. 

.Everything’s  unfrozen  now.  Wow,  it’s  good  to  feel 
my  toes  again. 


WebSphere. 


Take  the  BPM  with  SOA  Assessment  at: 

IBM.COM/TAKEBACKCONTROL/PROCESS 


IBM,  the  IBM  logo  and  WebSphere  are  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2006  IBM  Corporation.  All  rights  reserved. 


essential  technology 


MRAM,  or  magnetoresistance  random- 
access  memory,  is  the  newest  example. 

MRAM  works  by  using  the  spin  state  of 
electrons  to  store  data.  Instead  of  Os  and  Is, 
MRAM  stores  data  by  writing  to  the  up  or 
down  state  of  the  electrons.  MRAM  could 
become  a  kind  of  supermemory,  one  with 
the  density  to  hold  a  great  deal  of  data,  and 
one  with  no  moving  parts,  a  la  flash  mem¬ 
ory.  What’s  more,  MRAM  has  the  blaz¬ 
ing  speed  of  random-access  memory  but 
doesn’t  lose  its  data  when  power  fails. 

It  sounds  fantastic,  but  elements  of  mag¬ 
netoresistance  have  been  in  hard  drives 
for  years,  and  Freescale  Semiconductor 
recently  began  shipping  a  commercial 
version  of  a  4-megabit  MRAM  chip. 

That’s  a  tiny  amount  of  memory  com¬ 
pared  with  the  latest  flash  memory,  but 
producing  a  commercial  MRAM  device 
is  still  a  milestone.  MRAM  will  probably 
hold  appeal  right  now  for  markets  that 
use  embedded  memory,  like  smart  cards. 
As  capacity  grows,  you’ll  see  more  prod¬ 
ucts  using  MRAM. 

Separately,  IBM  researchers  recently 
said  they  have  successfully  stored  data 
on  a  single  molecule  by  taking  advantage 
of  spin— a  step  toward  computing  at  a 
molecular  level.  It  won’t  be  an  overnight 
sensation,  but  researchers  say  the  work 
will  prove  quite  useful  15  years  from  now: 
That’s  when  many  believe  conventional 
memory  techniques  will  run  out  of  gas. 

Holographic  Hard  Drives 

Why  it’s  cool:  Holographs.  Need  we 
say  more? 

What  CIOs  could  love:  Huge  capacity. 
Blazing  data  transfer  rates. 

Photographs  contain  huge  amounts  of  data: 
That’s  the  starting  point  for  thinking  about 
holographic  storage.  Light  on  photopoly¬ 
mers  (in  effect,  film)  creates  three-dimen- 


More  on  Magnetic  Memory 


For  further  reading  on  this  technology  and  a 
look  at  what's  ahead,  see  “SPINTRONICS:  A 
RETROSPECTIVE  AND  PERSPECTIVE"  from 
IBM  Research  at  www.cio. com/100106. 

cio.com 


sional  patterns  that  allow  for  data  storage 
below  the  surface  of  a  medium— allowing 
tremendous  amounts  of  data  to  be  stored 
in  a  fixed  amount  of  space.  And,  because  it 
can  write  to  perhaps  a  million  bits  of  data  at 
once,  a  holographic  hard  drive  works  much 
faster  than  today’s  mainstay  drives. 

Thought  implausible  as  recently  as  five 
years  ago,  holographic  storage  now  looks 
to  debut  by  late  this  year. 

InPhase  says  it  will  ship  a  storage  sys¬ 
tem  based  on  holographic  technology 
before  the  end  of  2006,  primarily  for 
archival  storage  uses.  This  would  feature 
holographic  versatile  discs  (HVDs)  that 
hold  300GB  of  data,  or  roughly  35  hours 
of  broadcast-quality  TV  (or  25  minutes  of 
HDTV),  according  to  InPhase.  That’s  64 
times  what  a  DVD  can  store. 

If  holographic  storage,  first  proposed 
more  than  40  years  ago,  finally  becomes 
mainstream,  it  may  eventually  replace 
DVDs  as  the  preferred  disc  type.  But  before 
that  can  happen,  costs  will  have  to  drop 
sharply:  The  InPhase  system  looks  to  cost 
$15,000,  plus  more  than  $120  for  a  disc. 

But  by  2010,  one  disc  could  hold  1.6  tera¬ 
bytes.  A  consortium  called  the  HVD  Alli¬ 
ance  says  it  expects  data  transfer  rates  to 
equal  lGbps,  far  faster  than  current  DVD 
rates. 

While  initial  HVDs  will  be  writable 
only  once,  researchers  expect  holographic 
storage  will  eventually  gain  the  same 
read/write  ability  as  CDs  and  DVDs. 

Neural  Interfaces 

Why  it’s  cool:  You  are  now  entering 
the  Matrix. 

What  CIOs  could  love:  No  more  carpal 
tunnel  syndrome.  And  no  more  wondering 
what  the  boss  really  thinks. 

CIOs  had  better  hope  for  the  success  of 
holographic  data  storage:  It  might  be  the 
only  way  to  store  the  mountain  of  data 
produced  when  you  can  connect  your 
brain  directly  to  the  network. 

With  neural  interface  technology,  which 
connects  the  human  brain  to  the  computer, 
people  will  be  gathering,  managing  and 
storing  a  vast  amount  of  information,  says 


Sci-Fi  To-Do 
List  for  CIOs: 

1.  Read  Accelerando,  by  Charles 
Stross:  A  peek  at  how  nanoinformat¬ 
ics  and  other  developments  will 
change  society  over  the  course  of 
the  21st  century. 

2.  Read  Rainbow’s  End,  by  Verner 
Vinge:  Life  in  2025,  with  ubiquitous 
information  banks,  networked  cloth-' 
ingand  “silent  messaging.” 

3.  Visit  Second  Life  (www 
.secondlife.com).  This  virtual  world, 
which  is  becoming  a  corporate  water 
cooler  for  the  younger  set,  hosts 
consultant  meetings,  press  confer¬ 
ences  and  an  active  industry  of 
designers  marketing  avatar  outfits, 


Brock  Hinzmann,  technology  navigator  at 
SRI  Consulting  in  Menlo  Park,  Calif. 

If  that  sounds  way  too  much  like  jacking 
into  the  Matrix  (or  like  the  original  cyber¬ 
space  novel,  Neuromancer),  then  brace 
yourself— because  it’s  already  happening. 
As  was  first  published  in  research  this 
year,  a  paralyzed  man  used  “BrainGate” 
to  control  a  mouse  cursor,  play  a  video 
game,  change  channels  on  a  television  and 
perform  other  functions.  BrainGate  is  an 
implanted  neural  sensor,  a  4-by-4-milli- 
meter  chip  with  100  electrodes  that  sits  on 
the  surface  of  the  brain  in  the  area  of  the 
motor  cortex,  interpreting  brain  signals. 
Developed  by  Cyberkinetics  Neurotech¬ 
nology  in  Foxborough,  Mass.,  it’s  cur¬ 
rently  in  early  clinical  trials. 

Plenty  of  work  remains  for  neural  inter¬ 
face  technology,  but  more  basic  kinds  of 
neural  interfaces— such  as  cochlear 
implants,  which  improve  hearing  beyond 
normal  human  capacity— have  already 
become  available.  BZ3 


Michael  Fitzgerald  ( michael@mffitzgerald.com ) 
is  a  freelance  writer  based  in  Millis,  Mass. 


38  OCTOBER  1,  2006  |  www.cio.com 


.INFRASTRUCTURE  LOG 


_DAY  12:  No  one  can  get  real-time  answers.  No  one  can 
collaborate.  Unmanaged  public  IM  is  a  security  nightmare. 

_So  Gil  brought  in  a  “collaboration  accelerator . ”  I 
said  it  looks  like  a  cannon.  He  said  I  had  a  small  mind. 

_DAY  14:  The  answer:  IBM  Lotus®  Sametime®  7.5.  It’s 
not  just  IM  and  Web  conferencing,  it’s  an  affordable 
platform  for  running  the  business  in  real  time.  It’s 
encrypted.  Has  tons  of  features  like  VoIP  and  location 
awareness.  And  it  works  seamlessly  with  leading  public 
IM  networks.  Everyone  has  real-time  answers  now. 

_We’ve  even  recovered  most  of  our  employees. 


Lotus. 


Download  the  Lotus  Sametime  7.5  demo  at: 

IBM.COM/TAKEBACKCONTROL/SAMETIME 


IBM,  the  IBM  logo,  Lotus  and  Sametime  are  registered  trademarks  or  trademarks  of  Internationa!  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2006  IBM  Corporation. 
All  rights  reserved.  Information  regarding  Lotus  Sametime  7.5  is  subject  to  change  by  IBM  without  notice. 


CAREER  COUNSEL 


Grow  Your  Own 

Smart  succession  planning  can  help  the  CIO  cultivate  and  keep  future  leaders— and  boost 
his  own  career  prospects 


I  am  an  executive  recruiter.  In  the  next  12  months,  I  will 
call  your  top  employee  and  ask  her  to  consider  a  new 
job  opportunity.  She  will  answer  me  in  one  of  two  ways. 
Either  she  will  say,  “No,  thank  you.  My  company  treats 
me  well  and  is  grooming  me  for  my  next  position.”  Or  she’ll 
whisper  the  words  I  love  to  hear:  “I’ve  hit  a  wall  here.  I’d  be 
delighted  to  talk.” 

Her  answer  will  likely  hinge  on  your  succession  planning 
program.  Without  a  good  one,  your  retention  rates  will  suf¬ 
fer— and  so  will  your  own  ability  to  advance.  What  CEO  will 
move  you  into  a  new  position  if  you  cannot  backfill  the  CIO 
spot  with  another  strong  leader? 

Running  a  succession  planning  program  is  not  easy.  To 
help  you  move  ahead  on  this  critical  effort,  I’ve  asked  CIOs 
who  have  created  a  culture  of  succession  to  share  what  they’ve 
learned. 

1.  Embed  succession  planning  in  your  organization. 

When  insurer  Bristol  West  Holdings  went  public,  the  board  of 
directors  listed  enterprise  succession  planning  as  a  top  prior¬ 
ity.  CIO  Jack  Ondeck  did  a  gap  analysis  of  the  skills  his  direct 
reports  had  at  the  time  and  those  they  would  require  to  succeed 
him.  Training  was  arranged  for  those  who  needed  it. 

Ondeck  also  kept  succession  planning  in  mind  when  he 
restructured  the  IT  organization  the  following  year.  “Most  of 
my  senior  staff  now  have  a  dotted  line  to  a  senior  VP  who  is 
responsible  for  a  large  business  area  like  claims,  point  of  sale 
or  product  lifecycle,”  he  says.  “Since  my  directors  are  now  set¬ 
ting  priorities  for  the  entire  group,  they  are  essentially  running 
their  own  IT  organizations  with  all  of  the  strategic,  leadership 
and  political  responsibilities  that  come  along  with  the  role.”  By 


40  OCTOBER  1,  2006  |  www.cio.com 


ILLUSTRATION  BY  JUSTINE  BECKETT 


As  a  true  entrepreneur,  you’re  open-minded.  You  see  things  optimistically.  And  so  increase  your 
chances  for  success.  To  help  you  realize  your  full  potential  and  build  confidence  in  your  business, 
Equant,  France  Telecom  and  Orange  have  joined  forces  under  Orange  Business  Services, 
opening  up  new  opportunities 


global  communications  mobility  secured  applications  outsourcing 


Business 

Services 


orange 


■■  Martha  Heller  CAREER  COUNSEL _ 

creating  an  organization  whose  departments  are  led,  essen¬ 
tially,  by  “junior  CIOs,”  Ondeck  created  a  stronger  pool  of 
potential  successors. 

His  only  regret:  “I  wish  I  did  the  reorganization  earlier.  The 
new  reporting  structure  makes  my  direct  reports  much  better 
at  the  jobs  they  have  now.” 

2.  Manage  expectations.  When  Purdue  Pharma  CIO 
Larry  Pickett  needs  a  stronger  enterprise  focus  on  an  area 
like  security,  he  pulls  a  middle  manager  with  that  specific 
expertise  into  his  pool  of  direct  reports  for  a  limited  time.  Not 
only  does  this  heighten  the  company’s  awareness  of  an  issue, 
it  also  gives  the  employee  an  opportunity  to  work  with  Pickett 
and  participate  in  IT  leadership  meetings.  The  benefits  of  this 
approach  are  great,  but  Pickett  offers  a  caution:  “Employees 
need  to  know  up  front  that  they  will  be  transitioning  back 
into  their  place  in  the  organization,”  he  says.  “This  can  feel 
like  a  demotion,  so  it  is  critical  they  understand  that  while 
they  will  no  longer  report  to  me,  they  will  now  have  a  broader 
set  of  responsibilities  and  will  be  better  positioned  for  future 
growth.” 

3.  Don’t  forget  the  technologists.  When  Karin  Catton 
became  CIO  of  manufacturer  Johns  Manville,  she  conducted 
an  employee  satisfaction  survey.  She  quickly  learned  her  staff 
felt  disconnected  from  the  business  and  lacked  strong  leader¬ 
ship.  So  she  created  a  program  in  which  her  vice  presidents, 
directors,  senior  managers  and  managers  meet  with  their 
bosses  on  a  quarterly  basis  to  learn  what  they  need  to  do  to 
move  up. 

Catton  then  went  one  step  further:  She  developed  a  pro¬ 
gram  for  her  independent  contributors,  who  don’t  manage 
people.  “Your  technologists  may  not  be  born  managers,  but 
they  need  a  development  path  as  well,”  she  says.  “We  created 
a  succession  path  in  our  architecture  group  that  includes  a 
‘principal’  level.  The  principals  do  not  have  staff,  but  they  are 
on  a  technical  succession  plan  and  [are]  recognized  through¬ 
out  the  company  as  thought  leaders.”  By  creating  a  clear 
career  path,  Catton  has  ensured  that  if  her  chief  technolo¬ 
gists  leave  the  organization,  she  will  not  have  to  go  outside  to 
find  replacements. 

Catton  has  quantifiable  evidence  that  her  succession  plan¬ 
ning  efforts  are  working:  Employee  satisfaction  ratings  rose 
from  one  to  four. 

4.  Get  HR  involved.  Pickett  considers  leadership  devel¬ 
opment  a  critical  responsibility.  So  he  joined  forces  with  HR 
to  create  a  formal  succession  planning  program  that  includes 
job  rotation,  training,  goal  setting,  feedback  and  executive 
coaching.  “We  used  to  spend  tens  of  thousands  of  dollars  to 
send  our  high-potential  employees  to  external  programs,”  he 
says.  “Now  we  have  an  internal  program  that  is  better.” 

Using  succession  planning,  each  of  these  CIOs  created  a 
culture  where  employees  and  the  company  win.  For  those  of 
you  with  high  retention  rates,  what  lessons  can  you  add? 

42  OCTOBER  1,  2006  |  www.cio.com 


The  Last  Word 

Martha  Heller  responds  to  readers’ 
comments 

The  succession  planning  column  missed  a 
key  point,  according  to  Les  Viszlai,  CIO  of  Services 
Engineering  IT  for  General  Electric.  "Succession 
planning  is  much  easier  to  do  in  a  large  company," 
he  writes.  "More  opportunities  are  available  to  cross 
train.  In  smaller  companies,  IT  staff  turns  over  only 
when  the  person  in  the  'next'  role  retires  or  takes  a 
new  position.  My  experience  is  that  smaller  compa¬ 
nies  don’t  do  bench  planning  very  well." 

To  test  this  hypothesis,  I  asked  smaller  company 
CIOs  for  their  take.  Succession  planning  is  tougher 
at  smaller  companies,  agrees  Craig  Halterman,  CIO 
of  $373  million  Axcelis  Technologies.  “The  oppor¬ 
tunities  that  were  provided  to  me  at  GE  and  Dow 
Chemical  are  more  than  I  can  provide  my  staff,”  he 
says.  "The  key  to  succession  planning  in  a  midsize 
company  is  being  strategic.  Focus  your  planning  on 
areas  that  have  tight  integration  with  the  business, 
and  acknowledge  that  you  might  have  acceptable 
resource  losses  in  the  more  commodity-like  areas.” 

Tony  Young,  CIO  of  $267  million  software  maker 
Informatica,  disagrees.  "The  common  thread  for 
both  a  midsize 
organization  and 
a  large  enterprise 
is  dedicating  time 
to  developing  the 
right  people,"  he 
says.  "Succession 
planning  is  part  of  how  we  manage  our  organization. 
When  setting  quarterly  objectives,  we  talk  about 
succession  planning  with  our  managers  to  ensure 
we  are  developing  our  people  appropriately.” 

Whether  you  are  the  CIO  of  General  Motors  or 
of  a  $50  million  startup,  you  want  employees  to 
believe  they  have  a  future  under  your  leadership. 
And  the  number  of  resumes  I  received  after  posting 
this  column  online  indicates  that— regardless 
of  your  organization's  size— you  all  have  some 
work  to  do!  QQ 


Join  the  Conversation 


Respond  to  Martha  Heller's  latest 
online  column  by  visiting  www.cio 
.com/career/boost/index.html. 

cio.com 


Martha  Heller  is  managing  director 
of  the  IT  Leadership  Practice  at  the 
Z  Resource  Group,  an  executive  recruit¬ 
ing  firm  that  is  based  in  Boston.  Reach 
her  at  mheller@zrgroup.com. 


%  l  h  M; 


Location,  Location,  Location.. 


It's  fundamental  to  your  business.  Are  you  leveraging  your  location  data? 

Customer  addresses,  time  zones,  office  facilities,  service  areas,  political  boundaries,  critical  shipments, 
utility  networks,  field-workers,  real  estate,  mobile  assets,  and  warehouses— location  is  mission  critical 
in  every  organization. 

By  leveraging  the  location  information  that  is  inherent  in  your  information  systems,  you  can  manage 
your  organization  more  efficiently  and  cost-effectively,  helping  you  gain  a  competitive  advantage. 

ESRI  technology  is  a  standards-based,  scalable,  and  interoperable  platform  that  can  exploit  location 
data  in  your  business  processes.  With  ESRI  geographic  information  system  (GIS)  technology,  you  can 
make  location  information  and  analysis  available  to  the  people  in  your  organization — at  all  levels — 
who  need  it  most. 


To  learn  more  about  leveraging  your  location  data,  please 
visit  www.esri.com/itor  call  1-888-373-1192. 

You  have  the  location  information;  put  it  to  work  for  you. 


ESRI 


Copyright  O  2005  ESRI.  All  rights  reserved.  The  ESRI  globe  logo,  ESRI,  ArcMap,  www.esri.com,  and  Ardnfo  are  trademarks,  registered  trademarks,  or  service  marks  of  ESRI  in  the  United  States,  the  European  Community,  or  certain  other  jurisdictions 


EXECUTIVE  COACH 


Susan  Gramm 


A  Good  Offense 
Is  a  Good  Defense 

!  | 


It  pays  for  CIOs  to  map  their  own  plays  before 
from  on  high 


a  mandate  to  outsource  comes  down 


One  of  the  most  frustrating  aspects  of  working  for 
somebody  else  is  the  dreaded  “dictate  from  above.” 
Dictates  aren’t  requests,  they  are  demands.  Most 
workers,  when  faced  with  an  order  to  do  some¬ 
thing  they  don’t  understand  or  support,  disconnect  emotion¬ 
ally  from  the  task  and  follow  through  in  lackluster  fashion. 
This  leads  to  disappointing  results  that  reinforce  the  percep¬ 
tion  that  those  above  are  disconnected  from  reality.  And  the 
demanding  executive  gives  up  on  either  the  idea  or  the  people. 
In  the  end,  the  organization  loses. 

For  the  CIO,  some  of  these  dictates  are  related  to  outsourc¬ 
ing,  a  strategy  that  is  usually  defined  at  the  top  and  sometimes 
disdained  in  the  middle.  I  was  in  a  planning  meeting  recently 
where  a  midlevel  executive  conveyed  an  outsourcing  dictate 
to  his  group.  The  discussion  that  followed  was  high  on  per¬ 
spiration  but  not  on  inspiration:  “It  doesn’t  save  money,”  “Our 
complex  work  can’t  be  outsourced,”  and  so  on.  Minds  were 
closed  to  the  positive  experiences  of  other  organizations  and 
the  opportunities  that  could  be  created.  The  outcome?  A  set  of 
modest  goals  that  did  little  to  address  industry  cost  pressures 
and  global  support  requirements. 

Outsourcing’s  value  depends  on  the  actions  of  those  who 
are  tasked  with  making  it  real.  Done  well,  it  saves  money  and 
allows  an  organization  to  reinvest  in  high-value  activities  such 
as  interacting  with  customers,  managing  innovation,  defining 
strategic  direction  and  formulating  plans.  Done  poorly,  out¬ 
sourcing  can  increase  costs  around  the  management  of  sourc¬ 
ing  relationships  and  syncing  up  processes  and  can  strip  an 
organization  of  creativity  by  focusing  internal  resources  on 
work  that  lacks  innovation. 


44  OCTOBER  1,  2006  |  www.cio.com 


ILLUSTRATION  BY  NOMA  BLISS 


business  users  think  answers 
should  be  ONE  CLICK  away, 
so  do  we. 


Now  you  can  eliminate  user  frustration  and  get  the  most  from 
your  BI  investment. 


Cognos  8  Business  Intelligence  is  a  single  product  that  lets  users  move  seamlessly 
between  all  BI  capabilities  —  reporting,  analysis,  dashboarding  and  scorecarding. 

It  has  one  common,  browser-based  interface  that  makes  it  easy  to  learn  and  use. 
And  a  self-service  platform  that  lets  users  get  the  information  they  need. 

Without  navigating  complex  data  systems.  Or  relying  on  IT. 

In  short,  it’s  BI  that  works  the  way  users  think. 

Visit  www.cognos.com/oneclick  today. 


Copyright  ©  2006  Cognos  Incorporated.  All  rights  reserved. 


THE  NEXT  LEVEL  OF  PERFORMANCE™ 


Susan  Cramm  executive  coach 


For  these  reasons,  the  CIO  should  be  on  the  offensive  when 
it  comes  to  outsourcing.  After  all,  it’s  better  to  initiate  your 
own  program  rather  than  have  one  handed  down  from  on 
high  (see  “Just  Say  ‘Know,’”  Page  52).  But  don’t  concede  the 
game  if  you  find  yourself  on  the  receiving  end  of  an  outsourc¬ 
ing  mandate.  You  can  still  shift  to  an  offensive  position  by 
taking  a  leadership  role  in  the  initiative  and  redefining  it  so 
that  it  works  for  you  and  your  organization  while  protecting 
the  long-term  interests  of  the  enterprise.  In  other  words,  love 
it  to  death. 

Outsourcing  is  a  competitive  necessity  in  a  global  economy. 
When  (not  if)  the  call  comes,  try  the  following  tactics. 

Focus  on  the  opportunity.  Let  go  of  concerns  and  fears 
until  you  define  the  opportunities— beyond  cost  savings— 
that  outsourcing  enables.  What  should  your  organization  do 
better  and  how  could  outsourcing  help  fund  or  catalyze  the 
change?  The  participants  in  the  planning  meeting  I  attended 
had  difficulty  focusing  on  the  opportunities  rather  than  on 
the  risks  and  challenges.  It  took  effort  for  them  to  identify 
how  outsourcing  could  improve  leadership  on  activities  that 
had  degraded  over  time  due  to  a  lack  of  funding  for  incremen¬ 
tal  maintenance.  Avoid  their  mistake. 

Demonstrate  that  you  are  serious.  Reach  for  empirical 
research  and  get  “lessons  learned”  from  organizations  that 
use  and  supply  outsource  services.  Develop  a  plan  that  shows 
a  committed  and  disciplined  approach.  It  should  incorporate 
tenets  such  as  an  aggressive,  integrated  pilot  program,  stra¬ 
tegic  selection  of  offshoring  locations,  multiple  suppliers  to 
ensure  competition  and  lower  risks,  the  creation  of  metrics 
and  a  plan  to  share  the  benefits  with  the  business  to  motivate 
adoption.  Remember  that  unless  you  commit  over  time  to 
increasing  the  work  that  is  outsourced,  the  payoff  will  never 
be  realized  because  the  costs  of  establishing  and  managing  an 
effective  sourcing  program  are  high. 

Avoid  the  path  of  least  resistance.  Although  it  is  easier 
and  less  risky  to  outsource  “keep  the  lights  on”  tasks  rather 
than  IT  development  activities,  many  organizations  first 
outsource  development  because  of  its  variable  nature.  But 
placing  project  management,  business  and  architectural 
knowledge  solely  in  the  hands  of  the  outsourcers  can  lead  to 
a  withering  of  the  internal  capability  to  innovate.  Outsource 
innovation-based  work  to  accommodate  peak  demands  and 
to  access  specialist  expertise.  And  ensure  knowledge  transfer 
and  retain  control  over  tasks  such  as  program  management. 

Take  care  of  your  people.  By  keeping  the  most  excit¬ 
ing  work  inside  and  refocusing  your  workforce,  you  increase 
your  odds  at  retaining  the  best  and  brightest.  Demonstrate 
integrity  by  communicating  openly  and  providing  training, 
retention  bonuses  and  severance  for  those  who  need  them. 

You  can’t  really  love  outsourcing  to  death  but  you  can  play 
offense  to  ensure  that  you  get  the  best  out  of  outsourcing  and 
it  doesn’t  get  the  best  of  you. 


Ask  the  Coach 

Q:  What  trends  do  you  see  in  the  industry  for  training 
managers  and  leaders  to  manage  well  in  the  onshore/ 
offshore  environment? 

A:  Fortunately,  there  are  plenty  of  resources  avail¬ 
able  for  those  who  want  to  teach  their  organizations 
how  to  manage  outsourcing  effectively.  A  good  place 
to  start  is  the  International  Association  of  Outsourc¬ 
ing  Professionals  ( www.outsourcingprofessional.org ),  a 
consortium  established— in  its  own  words— to  design, 
implement  and  manage  the  global  corporate  ecosystem. 
While  organizations  are  becoming  increasingly  savvy 
in  managing  these  extended  sourcing  relationships, 
they  are  not  placing  enough  emphasis  on  reskilling  the 
current  IT  workforce  to  assume  the  innovation  role.  As 
part  of  playing  offense  on  outsourcing,  IT  leaders  need 
to  define  the  role  for  the  future  internal  workforce  and 
incorporate  necessary  developmental  programs  in  the 
overall  approach  and  work  plan. 

Q:  We  are  lucky  enough  to  have  an  organization  that 
doesn’t  believe  in  outsourcing— although  we  do  use 
quite  a  few  consultants  in  support  of  projects.  As  a 
direct  report  to  the  CIO,  however,  I  believe  our  orga¬ 
nization  could  benefit  from  outsourcing  in  providing 
service  to  geographically  remote  business  partners. 
How  can  I  sell  the  program  without  selling  out? 

A:  You  may  not  have  to  sell  outsourcing  at  all.  Instead, 
simply  apply  the  use  of  consultants  or  contractors  to 
the  service  improvement  opportunities  you  describe. 
The  difference  between  the  occasional  use  of  con¬ 
sultants  and  contractors  and  outsourcing  depends 
on  the  level  of  control  and  assumption  of  risk.  Out¬ 
sourcing  entails  a  project  or  services  based  contract 

where  the  desired 
outcomes  and  pric¬ 
ing  are  negotiated 
and  the  outsourcer 
assumes  account¬ 
ability  for  manag¬ 
ing  the  details  and 
delivering  the  results.  Try  defining  a  program  that 
mirrors  the  look  and  feel  of  the  existing  consultant 
relationships  and  it’s  doubtful  you  will  be  viewed  as 
a  sellout.  BE] 

Susan  Cramm  is  founder  and  president  of 
Valuedance,  an  executive  coaching  firm  in 
San  Clemente,  Calif.  You  can  e-mail  feedback 
to  susan@valuedance.com . 


Have  a  Leadership  Question? 


For  more  reader  QUESTIONS  and 
answers  from  SUSAN  CRAMM.  go 
online  to  www.cio.com/leadership. 

cio.com 


46  OCTOBER  1,  2006  |  www.cio.com 


©2006  Hewlett-Packard  Development  Company,  L.R 


Tna f  .  tup. 

Avaya,  a  global  leader  in  communication  software,  systems  and  services,  spun 
off  from  Lucent  with  a  legacy  IT  infrastructure  that,  while  efficient,  wasn’t  nimble 
enough  to  be  a  competitive  advantage.  HP  partnered  with  Avaya  to  implement 
IT  Service  Management  and  HP  OpenView,  effectively  re-deploying  existing 

ions 


technology  assets.  Today,  IT  spending  is  down  30%.  Millions  have  been  saved 
by  finding  unused  capacity.  And  Avaya  answers  whenever  opportunity  calls. 


HP  IT  Service  Management  |  HP  OpenView  software 


Robert  Atkinson  KEYNOTE 


The  Luddites  Are  Coming! 

CIOs  must  arm  themselves  against  the  growing  backlash  to  revolutionary  new 
technologies  like  online  commerce  and  RFID  chips 


On  my  office  door  is  a  cartoon  showing  a  bus  with  an 
ad  on  it  proclaiming,  “Tired  of  all  the  technology? 
Visit  our  website:  www.luddites.com."  While  the 
cartoon  is  humorous,  what’s  not  funny  is  the  extent 
to  which  the  digital  revolution  has  sparked  a  neo-Luddite 
backlash  from  a  broad  spectrum  of  ideological  and  economic 
interests.  Whether  from  companies  seeking  government  pro¬ 
tection  from  more  nimble  e-commerce  competitors  or  political 
advocates  decrying  new  IT  applications  as  a  threat  to  jobs,  civil 
liberties  and  privacy,  CIOs  seeking  to  implement  new  systems 
may  find  themselves  facing  unexpected  and  sometimes  power¬ 
ful  opposition. 

Luddites  are  hardly  new.  (They  got  their  name  from  Eng¬ 
lishman  Ned  Ludd,  whose  followers  sabotaged  textile  factories 
at  the  beginning  of  the  Industrial  Revolution.)  What  is  new 
is  how  well-organized  these  neo-Luddites  are,  how  seriously 
they  are  taken  by  the  media  and  how  effectively  they  use  the 
political  system  to  advance  their  agendas. 

This  growing  array  of  neo-Luddites  views  new  technol¬ 
ogy  as  a  threat  to  basic  values  and  lifestyles.  Groups  from 
the  liberal  ACLU  to  the  conservative  Eagle  Forum  are  quick 
to  oppose  IT  innovations,  especially  those  that  might  be  per¬ 
ceived  as  threatening  civil  liberties. 

What  is  especially  troubling  is  that  in  contrast  to  the  past, 
when  Luddites  were  often  consigned  to  the  fringes  of  political 
debate,  today  they  enjoy  widespread  legitimacy.  Twenty  years 
ago  a  person  who  would  write  that  the  government  plans  to 
forcibly  implant  radio  frequency  identification  (RFID)  chips 
in  Americans,  akin  to  the  mark  of  the  beast  as  prophesied  in 
the  Book  of  Revelation,  would  be  dismissed  as  a  fanatic.  Yet  the 


48  OCTOBER  1,  2006  |  www.cio.com 


ILLUSTRATION  BY  DAVID  HOLLENBACH 


Val.  I,  Issue  3,  October  2006 


S  FROM  THE  EDITORS  OF  COMPU 


N  ORL 


| 

1  . 

1 

_  J 

L 

Virtually  Certain 


T 


HE  CONUNDRUM 

is  as  old  as  the  data 
center  itself.  Maximiz¬ 
ing  business  efficiency 
may  well  require  you  to 
offload  some  portion  of 
your  IT  operation  to  a  third  party,  yet 
how  can  you  be  certain  the  third  party 
will  maintain  the  security  of  the  data 
that’s  the  lifeblood  of  your  business? 

It’s  a  challenge  that  CIOs  will 
increasingly  confront,  because  the 
economic  conditions  that  have  cre¬ 
ated  it  are  hardly  abating.  Forrester 
Research  predicts  that  spending  in 
the  U.S.  for  IT  outsourcing  will  grow 
from  $68  billion  in  2006  to  $72  billion 


INSIDE 

»  STRATEC3Y 

“Security  Can  Never  Leave” 

PAGE  3 

■  TACTICS 

“Virtual  Security: 

The  Devil  Is  in  the  Details” 

PAGE  TT 

10  OPINION 

“Back-to-Basics  Security” 

PA  GE  TC 


in  2007.  And  while  its  forecast  is  more 
modest,  IDC  projects  that  worldwide 
spending  on  IT  outsourcing  services 
will  grow  at  an  annual  rate  of  nearly 


5%  to  reach  $112  billion  by  2010. 

Protecting  that  investment  means 
protecting  the  corporate  data  that’s 
entrusted  to  the  outsourcer. 

In  this  issue  of  Next-Gen  IT,  a  se¬ 
ries  produced  jointly  by  the  editorial 
teams  of  CIO  and  Computerworld, 
we  examine  the  issues  involved  in 
ensuring  that  your  outsourced  data  is 
properly  locked  down.  The  examina¬ 
tion  is  a  crucial  one:  More  than  90% 
of  respondents  to  an  International 
Association  of  Outsourcing  Profes¬ 
sionals  survey  said  security  breaches 
related  to  outsourcing  would  be 
“catastrophic”  to  their  businesses. 

If  catastrophe 
strikes,  moreover, 
the  blame  will  rest 
not  with  the  out¬ 
sourcer,  but  with 
your  company.  And 
even  if  catastrophe 
is  avoided,  auditors 
and  regulators  will  hold  your  compa¬ 
ny  responsible  if  your  outsourcer  fails 
to  comply  with  regulatory  standards. 

Fortunately,  there’s  a  lot  you  can  do 
to  minimize  the  chances  of  finding 
yourself  in  that  unfortunate  circum¬ 
stance  —  and  to  minimize  the  fallout 
if  you  do.  That’s  what  this  issue  is 
all  about.  As  Galen  Gruman  reports 
in  “Security  Can  Never  Leave”  (page 
3),  M&T  Bank,  for  example,  gave 
its  outsourcer  an  incentive  to  avoid 
problems  by  making  it  liable  for  the 
cost  of  notifying  affected  customers 
of  data  breaches.  And  in  Robert  L. 
Scheier’s  piece  titled  “Virtual  Securi¬ 
ty:  The  Devil  Is  in  the  Details”  (page 
11),  you’ll  read  about  how  companies 
are  taking  tacks  such  as  using  dash¬ 
boards  to  dynamically  monitor  their 
outsourcer’s  security  performance. 

We  invite  you  to  take  full  advan¬ 
tage  of  the  information  and  pointers 
in  this  issue  —  and  on  our  Web  site 
( ITNextGeneration.com )  —  so  you 
can  be  certain  that  your  virtual  IT 
department  is  as  secure  as  the  one 
you’re  sitting  in.  ♦ 


NEXT-GEN  ONLINE 

For  the  online  edition  of 
this  publication  plus  rele 
vant,  related  content  fro 
CIO  and  Computerworlc 
visit  our  Web  site: 


COMPUTERWORLD 


Computerworld  editor  in  chief  Don  Tennant  ■  CIO  editor  in  chief 
Abbie  Lundberg  ■  Computerworld  special  projects  editor 

THE  VOICE  OF  IT  MANAGEMENT  Ellen  Fanning  ■  CIO  executive  editor  Christopher  Koch  ■ 

Art  director  April  O’Connor  ■  Illustrator  Red  Nose  Studio  ■  Managing  editor/production  Eugene  Demaftre 
■  Copy  editor  Monica  Sambataro  ■  Site  architect  William  Hall 


2  Next-Gen  IT  |  A  Series  From  the  Editors  of  Computerworld  and  CIO 


October  2006 


You  can  outsource  your  work 
to  others,  but  the  responsibility 
for  security  —  and  accountability 
for  any  problems  that  occur  — 
will  always  be  yours  alone. 


Security 


Never 


BY  GALEN  GRUMAN 

ATT  SPEARE 

had  to  do  some¬ 
thing  that’s 
difficult  for  IT 
leaders  (and 
their  career 
prospects):  He 
had  to  nix  a  deal  that  the  business 
liked  —  a  lot.  The  business  people 
at  Speare’s  company,  M&T  Bank 
Corp.,  wanted  to  sign  on  with  an 
outsourcer  to  handle  some  of  its  data 
management.  However,  Speare,  who 
is  M&T’s  corporate  information  se¬ 
curity  officer,  didn’t  like  what  he  saw 
in  his  team’s  audit  of  the  outsourcer’s 
security  procedures. 

“It  pointed  out  management  issues 
in  their  control  environment  which 
they  could  not  remediate,”  he  says. 

Despite  some  internal  grumbling, 
M&T  selected  a  different  vendor. 
Speare  says,  “We  had  a  lot  of  hand- 
wringing  over  this,  as  well  as  project 
delays.”  A  few  months  later,  the  by¬ 
passed  vendor,  which  Speare  refuses 
to  name,  made  headlines  for  allowing 
credit  data  for  millions  of  people  to 
be  stolen.  “As  soon  as  the  headlines 
hit,  we  told  the  business,  ‘This  is  why 
we  do  that  diligence,’  ”  he  recalls. 

As  IT  outsourcing  gains  in  popu¬ 
larity  for  cutting  costs  and  reducing 
internal  management  needs,  enter¬ 
prises  are  increasingly  trusting  their 
vendors  to  ensure  the  security  of 
critical  data  and  software  processes. 
Yet  they  retain  the  responsibility  if 
something  goes  wrong,  both  because 
it’s  their  reputations  that  could  be 


October  2006 


A  Series  From  the  Editors  of  Computerworld  and  CIO  |  Next-Gen  IT  3 


A  Pair 

Of  Security  Eyes 

Not  quite  sure  you 
can  trust  your  out¬ 
sourcer’s  security? 

Then  don’t.  Instead, 
hire  a  managed  security 
|  service  provider  (MSSP)  to  manage  security  for 

|  the  outsourcer. 

That’s  the  strategy  many  Fortune  500  companies 


take,  says  Doug  Howard,  chief  operating  officer  at 
Counterpane  Internet  Security  Inc.,  an  MSSP  in 
Mountain  View,  Calif.  Many  traditional  IT  outsourcers, 
such  as  IBM,  are  better  at  ensuring  system  avail¬ 
ability  and  uptime  than  at  ensuring  security,  he  says. 
Besides,  hiring  an  MSSP  along  with  the  outsourcer 
means  the  two  vendors  are  keeping  an  eye  on  each 
other’s  performance.  While  this  setup  results  in  two 
vendor  relationships  to  manage,  he  says,  It  generally 
costs  no  more  than  securing  the  outsourcer  yourself. 

Such  specialized  help  could  be  a  nice  addition  to 
the  IT  skills  of  your  core  outsourcer  -  if  you’re  willing 
to  manage  two  outsourcers  rather  than  one, 

-  ROBERT  L.  SCHEIER 


damaged  and  because  regulators  hold 
them  accountable  for  the  actions  of 
their  providers.  “Outsourcing  doesn’t 
mean  that  the  internal  organization 
isn’t  responsible  anymore,”  says  Eric 
Litt,  chief  information  security  of¬ 
ficer  at  General  Motors  Corp.  “You 
still  have  the  responsibility  and  the 
accountability  to  the  business,  so  you 
have  to  define  the  policies.” 

Indeed,  a  company’s  security  bur¬ 
den  actually  increases  when  it’s  con¬ 
sidering  outsourcing,  because  it’s  no 


longer  just  about  being  able  to  protect 
your  own  assets;  it’s  about  knowing 
whether  the  outsourcer  knows  how 
to  protect  itself,  too. 

“Outsourcing  actually  requires  an 
even  higher-performing  [manage¬ 
ment]  staff  than  if  it’s  in-sourced,” 
says  Litt.  “You  need  to  know  at  least 
as  much  as  the  outsourcer  does.” 

CIOs  are  ultimately  responsible 
for  making  sure  that  their  companies 
are  protected,  regardless  of  where  the 
work  resides.  They  need  a  strategy 
for  building  security  competence 
in-house  and  monitoring  it  with  their 
outsourcers.  “You  can’t  outsource  your 
problems  to  fix  them.  You  can’t  expect 
the  service  provider  to  do  that,”  says 
Mark  Lobel,  a  partner  at  accounting 
firm  PricewaterhouseCoopers. 

Ensuring  the  security  of  your 
outsourced  IT  operations  doesn’t 
start  or  stop  with  due  diligence. 


Instead,  it  requires  the  follow¬ 
ing  muitistep  process: 


t 

Assess  your  risks  and  define 
your  security  needs. 

Validate  vendor  ability 
through  due  diligence. 

Spell  out  the  requirements 
contractually. 

□ 

Monitor  performance  after 
you’ve  chosen  the  outsourcer. 

Validating 

Potentialvendors 

For  most  companies  that  outsource 
IT,  validating  vendors’  processes  and 
capabilities  is  the  most  important 
step  to  ensuring  security.  There  are 
multiple  elements  in  this  strategy. 

Continued  on  page  6 


U 


You  can’t 
outsource  your 
problems  to  fix 
them.  You  can’t  expect 
the  service  provider 
to  do  that. 

MARK  LOBEL,  PARTNER, 
PRICEWATERHOUSECOOPERS 


V 


Choose  and  receive  any  of  these  3  APC  ^  ~~  %. 
white  papers  within  the  next  90  days  for  FREE! 

□  White  Paper  #40  "Cooling  Audit  for  Identifying  Potential  Cooling  Problems  in  Data  Centers”  '*v* 

□  White  Paper  #42  "Ten  Steps  to  Solving  Cooling  Problems  Caused  by  High  Density  Server  Deployment” 

□  White  Paper  #117  "Network-critical  Physical  Infrastructure:  Optimizing  Business  Value" 


□YES! 


Please  send  me  my  FREE  white  papers. 


□NO. 


m  not  interested  at  this  time,  but  please  add  me  to  your  mailing  list 


Name: 

Title: 

Company: 

Address: 

Address  2: 

City/Town: 

State: 

Zip: 

Country: 

Phone: 

Fax: 

E-mail: 

I  I  Yes!  Send  me  more  information  via  e-mail  and  sign  me  up  for  APC  PowerNews  e-mail  newsletter.  [  Key  Code  p421x  ) 
What  type  of  availability  solution  do  you  need? 

□  UPS:  0-16KVA  (Single-phase)  □  UPS:10-80kVA  (3-phase  AC)  DUPS:80+ kVA(3-phase  AC)  DDC  Power 

□  Network  Enclosures  and  Racks  □  Precision  Air  Conditioning  □  Monitoring  and  Management 

□  Cables/Wires  □  Mobile  Protection  □  Surge  Protection  DUPS  Upgrade  □Don’tknow 
Purchase  timeframe?  Q<1  Month  Q1-3  Months  □  3-12  Months  Q1  Yr.  Plus 

You  are  (check  1):  □  Home/Home  Office  ^Business  (<1000  employees)  □  Large  Corp.  (>1000  employees) 

□  Gov’t,  Education,  Public  Org.  ^APC  Sellers  &  Partners 


©2006  APC.  All  trademarks  are  the  property  of  their  owners.  ISX4A4EB-USe 


E-mail:  esupport@apcc.com  •  132  Fairgrounds  Road,  West  Kingston.  Rl  02892  USA 


BUSINESS  REPLY  MAIL 

FIRST-CLASS  MAIL  PERMIT  NO.  36  WEST  KINGSTON  Rl 
POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


ATTENTION  CRC:  p421x 
132  FAIRGROUNDS  ROAD 
PO  BOX  278 

WEST  KINGSTON  Rl  02892-9920 


NO  POSTAGE 
NECESSARY 
IF  MAILED 
IN  THE 

UNITED  STATES 


III.... .1.11. .1.1. 


We  just  spent  almost  $70  million 
researching  solutions  to 
tomorrow's  server  problems 


White  Paper  #12  (wp-i2) 

"Essential  NCPI  Service 
Requirements  for  Next 
Generation  Data  Centers" 

$420®  FREE 


White  Paper  #40  (wp-4oi 

"Cooling  Audit  for 
Identifying  Potential 
Cooling  Problems 
in  Data  Centers" 

565®  FREE 


White  Paper  #42  iwp-42) 

Ten  Steps  to  Solving 
Cooling  Problems 
Caused  by  High  Density 
Server  Deployment" 

*420®  FREE 


White  Paper  #58  (WP-58) 

"Humidification  Strategies 
for  Data  Centers  and 
Network  Rooms" 

Stiff*  free 


White  Paper  #73  (wp-73) 


"Reducing  Hidden 
Costs  Associated  with 
Upgrades  of  Data 
Center  Power  Capacity" 


%5®  FREE 


White  Paper  #81  (WP-81) 

"Site  Selection  for 
Mission-Critical 
Facilities" 

$65®  FREE 


White  Paper  #82  (WP-82| 

"Physical  Security 
in  Mission-Critical 
Facilities" 

$65°°  FREE 


White  Paper  #11 6  (wp-i  16) 

"Standardization  and 
Modularity  in  Network- 
Critical  Physical 
Infrastructure" 


Stiff*  FREE 


White  Paper  #117  (WP-117) 

"Network-Critical 
Physical  Infrastructure: 
Optimizing  Business 
Value" 

Stiff*  free 


Why  not  spend  a  few  minutes  with  us? 


We  talked  to  thousands  of  customers  from 
Baltimore  to  Beijing  and  saw  the  good,  the  bad, 
and  the  ugly  measures  customers  took  in  their 
data  center  planning.  In  many  cases,  turnover 
and  budget  cuts  resulted  in  no  plan  at  all. 

Do  you  and  your  staff  know  the  top  ten  planning 
mistakes  to  avoid?The  easiest  way  to  improve 
cooling  without  spending  a  dime? 


Find  these  answers  and  more  -  in  our  latest 
selection  of  white  papers. Take  advantage 
of  our  valuable  research  today  and  save 
yourself  money  and  headaches  tomorrow. 

If  you  would  like  more  information  about 
APC's  availability  solutions  visit  us 
online  at  www.apc.com. 


Time  well  spent... 


Legendary  Reliability® 


Choose  and  download  any  3  white  papers 
within  the  next  90  days  for  FREE! 


Visit  http://promo.apc.com  Key  Code  p421x  •  Call  888-289-APCC  x3706  •  Fax  401-788-2797 


©2006  American  Power  Conversion  Corporation.  All  trademarks  are  the  property  of  their  owners.  E-mail:  esupport@apcc.com  •  132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA  APC1 F5EPUS 


Continued  from  page  4 

Southwest  Airlines  Co.  starts 
with  a  detailed  request  for  proposals 
(RFP)  for  all  aspects  of  the  outsourc¬ 
ing  relationship,  including  security. 
“Asking  a  lot  of  questions  upfront 
sets  the  expectations,  so  that  tends 
to  weed  out  those  vendors  who  can’t 
deliver,”  says  Robert  Schaffer,  senior 
director  of  technology  at  the  airline. 

Likewise,  when  GM  seeks  outsourc¬ 
ing  vendors,  it  first  defines  a  statement 
of  work  that  includes  service-level 
agreements  and  metrics,  Litt  says. 

“Savvy  customers  are  asking  ques¬ 
tions  earlier,”  notes  Dave  Bixler, 
chief  information  security  officer  at 
Siemens  Business  Systems,  which 
provides  outsourcing  services. 

In  addition  to  details  on  processes 
and  policies,  CIOs  should  ask  for 
details  on  staff  turnover  and  creden¬ 
tials,  which  are  indicators  of  how 

well  the  outsourcer  can 
satisfy  its  promises, 
says  Scott  Crawford,  an 
analyst  at  Enterprise 
Management  Associ¬ 
ates.  “You  don’t  want 
them  to  have  mail-order 
diplomas,”  he  says. 

“You’re  not  going  to  have  all  the 
questions  and  answers  upfront,” 
cautions  Pawan  Verma,  managing 
director  of  the  outsourcing  advisory 
practice  at  PricewaterhouseCoopers. 
“What  you  need  to  achieve  is  a  confi¬ 
dence  that  they  can  deal  with  issues. 
Look  for  a  comfort  level  that  you  can 
work  with  the  folks  across  the  table.” 

Bixler  says  most  customers  deal 
with  security  by  having  a  face-to-face 
meeting  with  him  to  assess  whether 
he  knows  what  he’s  doing.  But  Bixler 
cautions  against  relying  too  much  on 
that  personal  evaluation.  “What  if  I 
leave?”  he  asks.  He  encourages  cus¬ 
tomers  to  do  their  homework  first. 


Scott 

Crawford 


Outsourcing  actually  requires  an  even 

higher-performing  [management]  staff 
than  if  it’s  in-sourced. 


ERIC  LITT,  CHIEF  INFORMATION  SECURITY  OFFICER, 
GENERAL  MOTORS  CORP. 


Go  Beyond  the 
Usual  Suspects 

Evaluating  RFP  responses  is  just  the 
first  step  in  the  vetting  process.  Cor¬ 
porate  IT  should  also  talk  to  vendors’ 
customers  and  conduct  Web  and  oth¬ 
er  searches  to  see  if  there  have  been 
publicized  security  failures,  financial 
concerns  or  other  indicators  that  a 
vendor  might  not  be  able  to  deliver. 

“Google  is  your  friend,”  says  An¬ 


drew  Jaquith,  an  analyst  at  Yankee 
Group  Research  Inc.  It’s  particularly 
useful  to  ask  reference  customers 
why  they  did  not  choose  another  ven¬ 
dor;  this  helps  build  up  pros  and  cons 
across  the  vendors  you’re  consider¬ 
ing,  rather  than  just  see  the  successes, 
he  adds. 

Also  ask  to  see  copies  of  third- 


party  certifications,  third-party 
audits  and  internal  audits,  recom¬ 
mends  Jaquith.  Even  if  you  don’t  get 
everything  you  seek,  you’ll  get  a  bet¬ 
ter  sense  of  the  vendor’s  responsive¬ 
ness  and  openness,  both  of  which  are 
crucial  to  a  successful  relationship. 
“You’re  looking  at  the  preponderance 
of  evidence,”  he  adds. 


6  Next-Gen  IT  |  A  Series  From  the  Editors  of  Computerworld  and  CIO 


October  2006 


But  be  sure  to  know  what  audits 
the  vendor  has  or  should  have  by 
talking  to  other  customers  and  audi¬ 
tors,  advises  Litt.  “Otherwise,  they’ll 
just  say  it’s  not  available,”  he  says. 

When  you  do  get  them,  don’t  take 
all  certificates  and  audits  at  face  val¬ 
ue.  The  Statement  on  Auditing  Stan¬ 
dards  (SAS)  70  self-audit,  for  example, 
measures  whether  a  vendor  delivers 
on  the  processes  it  identifies  —  but 
it  doesn’t  evaluate  whether  those  are 
the  right  processes,  notes  Pricewater- 
houseCoopers’  Lobel.  Also  watch  out 
for  “qualified”  SAS  70  audits,  which 
mean  that  the  internal  controls  for 
the  identified  processes  are  not  be¬ 
ing  applied  consistently,  calling  into 
question  actual  performance,  he  says. 

Take  a  Look  at  Yourself 

That’s  why,  at  least  for  particularly 
critical  IT  functions,  organizations 
should  consider  conducting  their  own 
audits,  suggests  Southwest’s  Schaffer. 

Even  smaller  companies  can  do 
this,  says  Steve  Withers,  IT  director 
at  EaglePicher  Technologies  LLC,  a 
manufacturer  in  Joplin,  Mo.  Withers 
says  he  visits  his  outsourced  data 
center  regularly  “to  see  how  seriously 
they  take  security  in  between  audits.” 

Most  industries  have  no  mature 
auditing  or  certification  standards  that 
enterprises  can  rely  on  to  assess  poten¬ 
tial  vendors.  “The  standards  are  not  as 
complete  as  they  need  to  be,”  observes 
Litt,  although  there  is  some  draft  work 
under  way.  The  financial  industry  is 
furthest  ahead:  The  banking  industry 
has  the  Payment  Card  Information  data 
security  standard  and  the  Financial  In¬ 
stitution  Shared  Assessments  Program. 

For  Web-based  ap¬ 
plications,  the  Web 
Application  Security 
Consortium  has  defined 
security  standards. 

More  broadly,  the  ISO 
270001  standard  for  au¬ 
diting  security  manage¬ 
ment  is  also  emerging  as  a  system  for 
sharable  audits,  especially  in  India, 
explains  Jaquith.  And  the  American 
Institute  of  Certified  Public  Accoun¬ 
tants  Privacy  Task  Force  has  recently 
developed  its  Generally  Accepted 
Privacy  Principles  to  enable  third- 
party  audits  whose  conclusions  cover 
the  needs  of  many  industries. 


« 


Andrew 

Jaquith 


Even  if  vendors  provide 

the  appropriate 
audits,  the  legal 
controls  [overseas]  to 
enforce  them  don’t  exist, 
so  you  have  less 
leverage.  And  it’s 
harder  to  get 
restitution 


Steve 

Gordon 


V 


European  customers’  data.  The  data 
protection  laws  there  are  stricter 
than  in  the  U.S.,  and  European  out¬ 
sourcers  are  generally  better  versed 
in  the  requirements,  says  Don  De- 
Palma,  president  of  IT  consultancy 
Common  Sense  Advisory  Inc. 


STEVE  GORDON, 

PROFESSOR  OF  IT  MANAGEMENT, 
BABSON  COLLEGE 


Going  Global 
Increases  Risks 

If  you’re  outsourcing  to 
other  countries,  there 
are  additional  concerns, 
says  Steve  Gordon,  a 
professor  of  IT  manage¬ 
ment  at  Babson  College. 
“Even  if  vendors  provide 
the  appropriate  audits, 
the  legal  controls  to  enforce  them  don’t 
exist,  so  you  have  less  leverage.  And  it’s 
harder  to  get  restitution,”  he  notes. 

Wanting  to  gain  outsourcing  busi¬ 
ness,  some  nations  are  emulating  U.S. 
laws  so  the  legal  frameworks  match. 
Generally,  European  countries  are  as 
strict  as  or  stricter  than  the  U.S.,  and 
Canada  is  fairly  equivalent. 

Prodded  by  India’s  National  Asso¬ 
ciation  of  Software  and  Service 
Companies,  that  country’s  govern¬ 
ment  has  begun  aligning  its  laws 
to  U.S.  standards,  says  Rena  Mears, 
privacy  and  data  protection  service 
director  at  accounting  firm  Deloitte 
&  Touche  USA  LLP. 

Japan  has  developed  stricter  re¬ 
quirements,  mainly  in  response  to 
demands  from  Japanese  companies 
rather  than  to  satisfy  outsourcers  that 
serve  the  U.S.,  she  notes. 

China  is  assessing  its  legal  system, 
but  for  now,  “there’s  little  control  over 
data  protection  and  licensing,”  says 
PricewaterhouseCoopers’  Verma. 

Aligning  the  outsourcers’  corporate 
presence  with  the  countries  where 
you  need  legal  protection  can  also 
help.  M&T  Bank  solves  the  dilemma 
by  requiring  any  outsourcers  it  uses  to 
have  incorporated  entities  in  the  U.S. 
so  they’re  subject  to  U.S.  laws. 

Similarly,  companies  often  look 
to  European  outsourcers  to  handle 


Get  It  in  Writing 

Once  a  CIO  is  satisfied  with  an  out¬ 
sourcer’s  ability  to  secure  its  data  and 
applications,  the  next  step  is  to  codify 
the  expectations,  monitoring  mecha¬ 
nisms  and  liability  in  case  of  failure. 

Some  CIOs  say  that  rather  than 
rely  on  the  outsourcer’s  experience 
with  other  customers  or  a  boilerplate 
contract,  companies  should  develop 
codification  from  scratch. 

“We  think  it  is  a  horrible  mistake 
to  take  the  vendor’s  contract  and 
modify  it,”  says  Speare.  “You  should 
have  your  own  language.”  Of  course, 
vendors  would  prefer  not  to  have  sep¬ 
arate  contracts  with  each  customer. 

Wherever  a  contract’s  language 
originates,  CIOs  should  view  them  as 
dynamic  documents,  updating  them 
as  needs  change.  For  example,  M&T 
Bank  changed  the  liability  provisions 
in  its  outsourcing  contracts  last  year 
after  regulations  arose  that  mandated 
the  disclosure  of  privacy  breaches  to 
affected  customers.  As  an  incentive  to 
avoid  problems,  M&T  made  the  out¬ 
sourcer  liable  for  the  cost  of  notifying 
affected  customers  of  data  breaches 
—  $137  per  customer,  says  Speare. 

Keep  Monitoring 

It’s  nearly  impossible  to 
technologically  monitor 
how  outsourcers  keep 
data  secure  on  their 
own  premises.  Monitor¬ 
ing  tools  vary  widely, 
and  monitoring  could 
unintentionally  expose 
data  from  the  outsourcer’s  other  cus¬ 
tomers.  That’s  why  consultants  and 
analysts  recommend  that  businesses 
insist  on  a  right-to-audit  clause  in 
their  contracts,  so  they  can  do  their 
own  checking  of  the  outsourcer’s 
processes  to  ensure  that  the  service 
levels  are  maintained. 

But  customers  rarely  follow  through, 
says  Bixler.  The  reason:  “It’s  very  re¬ 
source-intensive,  and  most  companies 
Continued  on  page  10 


October  2006 


A  Series  From  the  Editors  of  Computerworld  and  CIO  |  Next-GenIT  7 


ADVERTISING  SUPPLEMENT 


Seize  the  Future  Today 

Forward-thinking  companies 
are  building  the  next 
generation  of  IT  on  SOA 


E  NEXT  GENERATION  of  IT  is  not  just 
out  the  competition  or  the  bottom  line. 
|’s  about  the  future  of  your  business. 

With  90%  of  your  budget  going  to  just 
maintaining  your  current  IT  environ¬ 
ment,  the  short-term  choices  you  make 
now  around  modernizing  your  mainframe 
and  legacy  environment  can  put  you  on 
Hie  path  to  service-oriented  architecture 
(oOA).  The  platforms  that  you  choose  to 
support  SOA  will  determine: 

•  Your  cost  structure  for  years  to  come 

•  Whether  you’ll  be  ready  and  able  to 
adapt  to  subtle  or  even  radical  shifts 
in  your  company’s  business 

•  Your  standing  as  a  competitive  lead¬ 
er  or  follower  in  your  industry 


The  Next  Generation  Unveiled 

What  does  the  next  generation  of  IT  look 
like?  One  of  the  foremost  elements  of 
modernized  IT  is  SOA.  SOA  is  critical 
to  helping  businesses  respond  more 
quickly  to  changing  market  conditions. 
What’s  more,  because  it  simplifies 
interconnections,  SOA  can  ensure  the  best 
use  of  IT  assets  going  forward.  But  the 
key  is  evolution,  not  revolution.  Taking 
a  thoughtful  approach  with  your  current 
legacy  environment  can  ensure  that  SOA 
is  cost-effective  as  well  as  effective  in 
increasing  productivity. 

Not  surprisingly,  though,  while  a  recent 
IDC  end-user  survey*  shows  that  US  com¬ 
panies  are  accelerating  their  investments 
in  SOA-based  services,  it  isn’t  all  smooth 
sailing.  In  a  statement,  Marianne  Hedin, 
program  manager  for  IDC’s  Worldwide 
Services  and  Service-Oriented  Architec¬ 
ture  and  an  author  of  the  survey,  noted: 
“Companies  which  will  try  to  implement 


The  key  is 
evolution, 
not 

revolution. 


ADVERTISING  SUPPLEMENT 


SOA  on  their  own...  will  soon  discover 
that  it  is  very  difficult,  if  not  impos¬ 
sible,  to  successfully  roll  out  a  large  or 
corporate-wide  SOA  initiative  without 
outside  help.” 

In  fact,  without  a  sound  underpin¬ 
ning,  SOA  initiatives  can  fall  short  of 
their  potential. 

That’s  where  HP,  Intel,  and  Oracle 
can  help  by  combining  capabilities, 
concepts,  and  the  in¬ 
tegrated  solutions  to 
assist  CIOs  in  assessing 
and  preparing  their  cur¬ 
rent  IT  environments 
to  reach  a  new  level  of 
operational  efficiency, 
while  preparing  the  way 
for  next-generation  ini¬ 
tiatives. 

IT  modernization, 
in  support  of  initiatives 
such  as  SOA,  must 
provide  the  ability  to  rapidly  deliver 
new  capabilities  while  also  providing 
mainframe-class  performance, 
reliability,  and  quality  of  service. 
Through  the  modernization  process, 
enterprises  need  to  be  able  to  build  a 
flexible  and  manageable  environment 
that  can  take  full  advantage  of  an  SOA 
and  shared  IT  infrastructure,  enabling 
you  to  respond  to  change  with  speed 
and  agility,  reduce  operational  costs, 
and  also  make  the  best  use  of  your 
company’s  most  valuable  resources — its 
people  and  information. 

HP,  Intel,  and  Oracle  can  help  you 
attain  this  goal  by  bringing  together 
familiar  elements  such  as  Intel®  archi¬ 
tecture-based  HP  Integrity  and  Proliant 
platforms  in  combination  with  Oracle 
software  and  HP  Application  Modern¬ 
ization  Services — offerings  that  provide 
the  ideal  foundation  for  your  next  gen¬ 
eration  of  IT  solutions. 

The  Power  of  Partnership 

Intel,  HP,  and  Oracle  have  integrated 
their  resources  to  ease  your  journey  to 
the  next  generation. 

For  example,  Intel®  technology — 
the  underlying  hardware  that  delivers 
the  performance  and  energy-efficient 
computing  you  need — actually  extends 
beyond  microprocessors.  It  includes 


deep  collaboration  with  software  and 
solution  providers  to  offer  a  stream¬ 
lined  and  optimized  path  to  smooth 
SOA  adoption.  Oracle’s  development 
teams,  with  support  from  Intel,  have 
optimized  Oracle  Fusion  Middleware, 
Oracle  Database,  and  Oracle  Applica¬ 
tions  products  on  Intel  architecture  to 
deliver  outstanding  performance  across 
all  computing  tiers. 

Intel  dual-core 
processors  deliver 
unprecedented  free¬ 
dom  to  IT  organiza¬ 
tions,  with  perfor¬ 
mance,  reliability, 
improved  energy 
efficiency,  and  broad 
system  and  software 
support  to  finally 
enable  a  move  away 
from  aging  and 
expensive  legacy 
systems.  Dual-core  Intel®  Itanium®  2 
microarchitecture  can  provide  virtual¬ 
ization  to  support  scale-up  computing, 
and  dual-core  Intel®  Xeon®  processor- 
based  servers  deliver  scale-out  capabili¬ 
ties.  These  platforms  provide  flexible 
mainframe-class  performance,  simpli¬ 
fied  management,  secured  availability, 
and  instant  capacity. 

HP  designed  its  HP  Integrity  sys¬ 
tems  to  run  multiple  operating  systems 
in  a  shared  environment.  With  HP’s 
virtualization  capabilities,  you  can  take 
your  most  mission-critical  workloads, 
run  a  mix  of  operating  systems  (HP- 
UX,  Linux,  NonStop,  OpenVMS,  and 
Windows),  and  share  all  of  your  com¬ 
puting  resources  across  virtual  servers 
that  shrink  and  grow  according  to  the 
demands  of  the  business.  This  flex¬ 
ibility  is  the  perfect  platform  for  the 
unpredictable  usage  peaks  and  valleys 
that  are  part  of  any  service-oriented 
architecture. 

Traditionally,  when  you  needed 
more  computing  capacity,  you  sim¬ 
ply  bought  more  machines.  But  now 
Oracle  enables  grid-based  computing, 
where  if  one  department  needs  more 
capacity,  Oracle  software  can  borrow 
it  from  another.  Grid  computing  aims 
to  solve  the  common  problems  experi¬ 
enced  in  enterprise  IT: 


HP,  Intel  and  Oracle 
can  help  by  combining 
capabilities,  concepts,  and 
the  integrated  solutions 
to  assist  CIOs  in  assessing 
and  preparing  their  current 
IT  environment  to  reach  a 
new  level  of  operational 
efficiency  while  preparing 
the  way  for  next- 
generation  initiatives. 


•  Application  silos  that  lead  to  un¬ 
derutilized,  dedicated  hardware 
resources 

•  Monolithic,  unwieldy  systems 
that  are  expensive  to  maintain 
and  difficult  to  change 

•  Fragmented  information  that 
cannot  be  fully  exploited  by  the 
enterprise  as  a  whole 

Grid  computing  at  all  levels,  from 
hardware  to  operating  system  to  data¬ 
base  to  application  server,  along  with 
Oracle  BPEL  process  management,  pro¬ 
vides  the  capabilities  needed  to  achieve 
high  up-time  while  also  allowing  a 
single  point  of  management. 

Finally,  HP  Application  Moderniza¬ 
tion  services  help  rationalize  current 
application  environments  to  capitalize 
on  SOA  and  meet  your  emerging  busi¬ 
ness  challenges — with  new  levels  of  ef¬ 
ficiency,  performance,  and  capabilities. 

Getting  to  the  Next 
Generation 

Together,  Intel,  Oracle,  and  HP  provide 
the  vision  and  capabilities  that  will 
transform  your  legacy  application  en¬ 
vironment.  Together  they  are  helping 
companies  bring  their  IT  architectures 
and  application  environments  to  a 
new  state — one  that  aligns  with  their 
desired  future  vision.  Together  they  are 
delivering  the  application  flexibility 
and  agility  needed  to  easily  make  and 
capitalize  on  change  and  improve  align¬ 
ment  between  IT  resources  and  busi¬ 
ness  needs. 

For  further  information,  go  to  http:// 
www.nextgenitinsights.com. 


ORACLE’ 


*  SOA-Based  Services  Buying  Trends:  A  2006  Survey 
of  U.S.  Companies 

Intel,  the  Intel  logo,  Itanium,  and  Xeon  are  trademarks  or  registered  trade¬ 
marks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other 
countries.  Other  names  and  brands  may  be  claimed  as  the  property  of  oth¬ 
ers.  Oracle,  JD  Edwards.  PeopleSoft,  and  Siebet  are  registered  trademarks 
of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks 
of  their  respective  owners.* 


Continued  from  page  7 

that  hire  outsourcers  no  longer  have 

the  resources  to  do  the  audit,”  he  says. 

Even  if  audits  are  rarely  performed, 
requiring  them  is  still  a  good  idea. 

At  Southwest,  “it’s  rare  to  audit  out¬ 
sourcers,  but  it  has  been  done,”  says 
Schaffer.  “It’s  done  based  on  risk,  such 
as  when  something  doesn’t  feel  right.” 
Southwest  also  gets  a  feel  for  outsourc¬ 
ers’  performance  by  using  information 
in  audits  for  other  purposes,  such  as 
Sarbanes-Oxley  Act  compliance,  since 
these  audits  typically  examine  both 
Southwest  and  its  outsourcers. 

Another  useful  tool  for  low-  or 
medium-risk  data  is  to  settle  for  a 
review  of  the  outsourcer’s  support 
documentation,  says  Speare,  because 
that  will  show  whether  the  outsourc¬ 
er  is  keeping  its  policies  current  and 
maintaining  its  operational  rigor. 


How  to  End 
The  Relationship 

An  often-overlooked  issue  in  securing 
an  outsourcing  relationship  is  how  to 
handle  its  dissolution.  For  example, 
Withers  is  working  with  other  cus¬ 
tomers  of  EaglePicher’s  manufactur¬ 
ing  information  systems  outsourcer, 


Plexus  Systems  LLC,  to  create  a  trust 
arrangement  for  EaglePicher’s  data  in 
case  the  young  outsourcer  goes  out  of 
business.  And  when  you  leave,  “how 
can  you  ensure  that  all  your  data  is 
wiped  clean?”  asks  DePalma. 

For  him,  the  question  is  not  academ¬ 
ic:  DePalma  was  shocked  to  discover 
that  six  months  after  Common  Sense 
ended  its  relationship  with  Salesforce- 
com  Inc.,  the  company’s  data  was  still 
on  the  CRM  provider’s  servers,  even 
though  Salesforce.com  had  promised 
to  delete  the  data  after  a  month.  Com¬ 
mon  Sense  learned  of  the  retained 
data  only  when  it  began  discussing  a 
new  relationship  with  Salesforce.com. 
(Salesforce.com  declined  to  discuss  its 
data  management  policies.) 


You  don’t  have 
infinite  resources, 
so  you  can’t  solve 
everything.  It  comes  down 
to  what  is  the  most  critical 
thing  to  protect  and  how 
do  you  go  about  it. 

RENA  MEARS,  PRIVACY  AND 
DATA  PROTECTION  SERVICE  DIRECTOR 
DELOITTE  &  TOUCHE  USA  LLP 


V 


It’s  All  About 
Risk  Assessment 

rr  There’s  no  way  to  abso- 

lutely  ensure  that  your 
chosen  vendor  will 
secure  your  data  and  ap- 
Brnh^mj/  plications,  regardless  of 
t^Le  ^ue  diligence,  con- 
tractual  requirements 
and  monitoring  you  ap¬ 
ply.  “You  don’t  have  infinite  resources, 
so  you  can’t  solve  everything,”  says 
Deloitte’s  Mears.  “It  comes  down  to 
what  is  the  most  critical  thing  to  pro¬ 
tect  and  how  do  you  go  about  it.” 

“People  are  clearly  thinking  about 
security  plenty,”  says  Yankee  Group’s 
Jaquith.  “But  thinking  and  doing  are 
two  different  things.  You  need  to 
know  what  you’re  getting  into.” 

Responsibility  for  security  never 
leaves  the  CIO’s  desk,  even  when  the 
work  does.  Without  serious  due  dili¬ 
gence  and  a  robust  set  of  policies  for 
handling  security  with  IT  providers, 
outsourcing  can  become  a  game  of 
Russian  roulette.  ♦ 


Gruman,  principal  of  The  Zango  Group 
and  a  regular  contributor  to  CIO,  can  be 
reached  at  ggruman@zangogroup.com. 


SaaS  Providers? 


An  emerging  form  of  outsourcing  is  software 
as  a  service  (SaaS),  in  which  a  vendor  has 
a  common  application  used  by  multiple 

customers.  Unlike  traditional  outsourcing,  there 
is  no  customization  for  each  client,  so  the  security 
policies  are  generally  not  negotiable  beyond  lower- 
level  functions  such  as  encryption  standards  or  use 
of  virtual  private  network  connections. 

“SaaS  providers  should  make  their  security  and 
privacy  policies  clear  upfront,”  advises  Steve  Gordon, 
professor  of  IT  management  at  Babson  College. 

SaaS  providers  can  go  a  long  way  to  gaining  CIOs’ 
trust  if  they  get  reputable  independent  audits  that 
they  share  with  customers,  says  Andrew  Jaquith,  an 
analyst  at  Yankee  Group.  “It  doesn’t  need  to  be  done 
for  every  customer,”  he  says. 

General  Motors  eyes  SaaS  providers  cautiously, 
given  its  inability  to  impose  its  desired  level  of 


control  on  them.  “If  their  contracts  don’t  meet  our 
security  needs,  we’ll  end  discussions,”  says  Eric  Litt, 
the  automaker’s  chief  information  security  officer. 

“We  wouldn’t  use  SaaS,”  says  Matt  Speare, 
corporate  information  security  officer  at  M&T  Bank. 
Speare  is  concerned  about  data  management. 

“They  intermix  data,  which  contradicts  financial 
services  rules  that  require  data  segregation  to 
ensure  that  data  is  truly  destroyed”  when  it  is  no 
longer  needed,  he  says.  Both  Litt  and  Speare  say 
SaaS  is  better  suited  to  smaller  companies  that 
have  less  risk  or  ability  to  manage  risk. 

Even  if  a  company  bars  SaaS  because  of 
security  concerns,  such  arrangements  could  still 
be  a  problem,  Gordon  notes,  because  departments 
may  use  a  SaaS  provider  without  IT’s  knowledge. 

IT  has  some  recourse,  including  blacklisting 
unapproved  SaaS  providers’  Web  addresses  from 
the  network  and  using  content  filtering  to  detect 
leakage  of  corporate  data  to  a  Web  site  (which  may 
indicate  transfer  to  a  SaaS  system).  But  neither 
solution  is  perfect,  so  stubborn  users  may  still  use 
SaaS  behind  your  back. 

-  GALEN  GRUMAN 


10  Next-Gen  IT  |  A  Series  From  the  Editors  of  Computerworld  and  CIO 


October  2006 


SECURITY: 


The  Devil  Is  in  the  Details 


From  the  initial 
contract  to  ongoing 
monitoring,  it  pays 
to  get  specific  with 
your  outsourcer 
about  the  security 
needs  of  your 
company. 


BY  ROBERT  L.  SCHEIER 
I  I  OPING  TO  save 

money  and  re¬ 
spond  more  nim¬ 
bly  to  changing 
business  condi¬ 
tions,  companies 
I  are  increasingly 
going  “virtual”  with  their  data  cen¬ 
ters,  outsourcing  the  management  of 
key  applications  and  data. 

But  with  new  regulations  and  laws 
raising  the  penalties  for  security 
breaches,  customers  are  becoming 
more  and  more  concerned  about 


whether  their  outsourcers  can  keep 
their  systems  and  data  safe. 

In  a  survey  conducted  earlier  this 
year  by  the  International  Association 
of  Outsourcing  Professionals,  more 
than  90%  of  respondents  said  secu¬ 
rity  breaches  related  to  outsourcing 
would  be  “catastrophic”  to  their  busi¬ 
nesses,  and  45%  said  they  were  more 
or  much  more  concerned  about  data 
security  than  they  were  a  year  ago. 

Watson  Wyatt  Worldwide  Inc. 
in  Arlington,  Va.,  administers  out¬ 
sourced  employee-benefit  plans  for  its 
customers  and  outsources  some  of  its 


October  2006 


A  Series  From  the  Editors  of  Computerworld  and  CIO  |  Next-Gen  IT  11 


Get  Specific  With 
What  You  Need 

Almost  every  organization  has  dif¬ 
ferent  security  needs,  based  on  the 
industry  it  is  in,  the  type  of  systems 
it  runs,  the  type  of  data  it  controls 
and  the  laws,  regulations  or  industry 
standards  it  must  follow.  That’s  why 
effective  management  of  an  out¬ 
sourcer’s  security  must  begin  with  an 
internal  data  assessment  (see  story, 
page  3).  The  customer  can  then  use 
those  internal  requirements  to  build 
the  processes  and  requirements  their 
outsourcers  must  fulfill. 

Some  customers  use  off-the-shelf 
software  to  help  assess  the  criticality  of 
the  IT  services  they  have  outsourced 
and  what  security  measures  they 
should  demand  of  their  outsourcers. 

For  example,  Credit  First  National 
Association  in  Cleveland  provides 
credit  card  services  for  Bridgestone/ 
Firestone  North  American  Tire  LLC 
and  relies  on  the  parent  company’s 
internal  IT  department  for  services. 
To  ensure  that  the  IT  group  is  com¬ 
plying  with  financial  regulations,  the 
credit  card  unit  uses  ControlPath 
Vendor  Management  software  from 
ControlPath  Inc.  in  Englewood,  Colo., 
to  identify  the  security  requirements 
that  its  IT  partner  must  meet. 

As  a  result  of  this  assessment, 
outsourcers  “might  have  to  answer 


.  .  .-i 


Despite  the  number  of  tools  and  services 

used  to  track  security,  it’s  still  a  major  challenge 
to  get  a  single  view  ot  all  the  vulnerabilities 
within  all  systems. 

RYAN  HUNTER,  SERVICE  DELIVERY  MANAGER, 

WATSON  WYATT  WORLDWIDE  INC. 


how  they  handle  the  security  of 
their  employees,  the  security  of 
their  information  systems  or  their 
contingency  planning,”  says  Peter 
Racco,  manager  of  information  and 
physical  security  and  enterprise  risk 


management  at  Credit  First  National. 
If  a  contract  needs  to  be  checked,  for 
example,  ControlPath  fires  off  an  e- 
mail  to  a  lawyer  advising  him  to  be 
sure  the  contract  is  current.  To  do 
such  work  manually,  Racco  says,  “I 


own  IT  functions  to  outside  vendors. 
Five  years  ago,  customers  would  leave 
it  up  to  Watson  Wyatt  to  perform 
vulnerability  assessments  of  the  Web 
applications  that  it  manages  for  them, 
says  Ryan  Hunter,  service  delivery 
manager.  Now,  he  says,  there’s  a  “huge 
uptick”  in  clients  demanding  to  per¬ 
form  their  own  vulnerability  scans  to 
meet  regulatory  requirements. 

Despite  such  worries,  there’s  no 
stopping  the  headlong  move  to  out¬ 
sourcing.  For  the  many  companies 
that  will  hand  over  all  or  a  piece  of 
their  IT  systems  this  year  to  third  par¬ 
ties,  tricky  tactical  issues  involving 
security  come  to  the  fore.  And  accord¬ 
ing  to  IT  executives  who  have  been 
there,  it’s  all  about  keeping  an  eye  on 
the  details.  Here’s  how  to  ensure  that 
your  outsourcer  keeps  your  systems, 
applications  and  data  in  secure  lock- 
down,  and  some  information  about 
the  technologies  that  can  help. 


12  Next-Gen  IT  |  A  Series  From  the  Editors  of  Computerworld  and  CIO 


October  2006 


How  to  Contact  APC 

Call:  1-888-289-APCC 

use  the  extension  on  the  reverse  side 

Fax:(401)  788-2797 

Visit  www.apc.com/promo 

use  the  key  code  on  the  reverse  side 


APC 

Legendary  Reliability* 


SSSf 


Choose 


and  receive 


any  of  these  3  valuable 
APC  white  papers  within 
the  next  90  days  for  FREE! 


Key  Code 

www.apc.com/promo  p42lx 

(888)  289-APCC  x3706  •  FAX:  (401)  788-2797 


Legendary  Reliability* 


would  have  had  to  hire  five  or  six  full¬ 
time  employees.” 

It’s  also  important  to  be  very  spe¬ 
cific  about  your  security  needs,  espe¬ 
cially  with  an  outsourcer  that  is  more 
focused  on  meeting  performance  or 
efficiency  goals  than  on  security.  In 
many  cases,  customers  are  hiring  man¬ 
aged  security  service  providers  (see  “A 
Second  Pair  of  Security  Eyes,”  page  4). 

Sometimes  a  customer  needs  to 
drill  down  into  details  such  as  how  an 
outsourcer  staffs  its  data  centers  dur¬ 
ing  vacations  or  other  employee  short¬ 
ages.  David  Melnick,  a  senior  manager 
at  accounting  and  consulting  firm  De- 
loitte  &  Touche  USA  LLP,  remembers 
one  outsourcer  that  gave  more  than 
100  employees  administrative  privi¬ 
leges  on  a  customer’s  systems  so  they 
could  fill  in  for  other  network,  data¬ 
base  or  systems  administrators  who 
were  out  sick  or  on  vacation.  The  cus¬ 
tomer  considered  this  practice  unac¬ 
ceptable  and  persuaded  the  outsourc¬ 
er  to  instead  give  only  limited-time 
access  to  such  employees,  reducing 
the  number  of  people  with  unlimited 
rights  to  its  sensitive  systems. 

Melnick  also  suggests  detailing  in 
contracts  or  service-level  agreements 
(SLA)  exactly  what  tests  a  customer 
can  run  on  an  outsourcer’s  security 
and  which  systems  can  be  tested. 


Keep  a  Close  Watch 
On  Performance 

Outsourcers  also  need  to  ensure  that 
the  access  rights  of  its  customers’ 
users  are  properly  changed  as  their 
jobs  change  and  that  those  rights  end 
when  a  user  leaves  the  organization. 

It’s  hard  enough  to  track  down 
all  the  internal  systems  on  which  a 
user  may  have  been  granted  a  pass¬ 
word,  says  Jon  Watts,  a  principal  at 
Booz  Allen  Hamilton  Inc.,  a  McLean, 
Va.-based  consulting  firm.  “When 
you  add  in  the  component  of  an  out¬ 
sourcing  relationship,  it  gets  even 
more  complex,”  he  says.  Auditors 
and  regulators  are  “going  to  hold  you 
responsible  for  ensuring  the  right 
access  to  your  systems,  whether  you 
do  it  directly  or  if  your  outsourcer” 
does  it,  Watts  says. 

Outsourcing  customers  should 
first  clean  up  their  internal  processes 
for  maintaining  proper  user-access 
rights  and  then  build  those  same 


Road  Map  to 

Outsourcing 


Based  on  an  internal  assessment  of  critical  data,  be  very 
specific  in  contracts  and  service-level  agreements 

about  which  security  processes  you  expect  your  outsourcer 
to  perform  and  how. 


Use  established  standards  where  possible,  and  even 
standard  outside  reports,  to  develop  requirements  or  assess 
your  outsourcer’s  performance. 


Where  necessary,  specify  the  proper  access-control 
measures  the  outsourcer  must  take,  including  which  of  its 
employees  have  privileged  access  to  databases  and  networks. 


Consider  supplementing  audits  with  real-time  monitoring 
of  systems  or  security  logs. 


[Auditors  and 
regulators  are] 
going  to  hold  you 
responsible  for  ensuring 
the  right  access  to  your 
systems,  whether  you 
do  it  directly  or  if  your 
outsourcer  [does  it]. 

JON  WATTS,  PRINCIPAL, 

BOOZ  ALLEN  HAMILTON  INC. 


i 

V 


SECURITY  IS  TOP  OF  MIND 

When  selecting  an  outsourcing 
partner,  what  are  the  most 
important  evaluation  factors? 

Q 

Capabilities  and  quality 
of  services 

Pricing  of  service  and  cost 
savings  to  the  company 

Provider  s  security  policies, 
capabilities  and  track  record 

Financial  strength  and 
business  stability 

Reputation,  brand 
and  references 

Provider’s  regulatory  and 
compliance  history 

□ 

Geographic  factors 

requirements  into  contracts  or  SLAs 
with  outsourcers,  says  Watts.  This 
includes,  “performance  monitoring 
to  make  sure  these  things  are  actu¬ 
ally  happening,”  he  says. 

Periodic  audits  are  a  vital  and 
accepted  part  of  the  monitoring  proc¬ 
ess.  They  are  valuable  because  they 
are  structured,  evaluate  the  same 
criteria  consistently  and  produce 
a  detailed  view  of  the  outsourcer’s 
actual  performance  over  time. 

However,  they  produce  only  a  point- 
in-time  snapshot  that  may  overlook 
more  critical  and  immediate  problems. 
That’s  why  a  small  but  growing 
number  of  outsourcing  customers 
are  also  using  dashboards  or  other 
software  to  dynamically  monitor  an 
outsourcer’s  security  performance. 

See  It  All  With 
Real-Time  Monitoring 

Dashboards  gather  and  analyze  infor¬ 
mation  drawn  from  an  outsourcer’s 
security,  identity  management  or 
access  management  systems  and 
present  it  in  a  graphical,  easy-to- 
understand  form.  Many  security 
monitoring  and  control  tools  that  in¬ 
ternal  systems  administrators  already 
use  can  present  reports  to  a  user 
outside  the  production  network,  such 
as  a  customer  wanting  to  monitor 
the  quality  of  an  outsourcer’s  perfor¬ 
mance.  Whether  a  specific  dashboard 


October  2006 


A  Series  From  the  Editors  of  Computerworld  and  CIO  |  Next-GenIT  13 


is  right  for  the  job  depends  on  its 
ability  to  draw  data  from  the  various 
systems  at  the  outsourcer,  how  well 
the  dashboard  can  protect  the  infor¬ 
mation,  and  its  ability  to  analyze  and 
report  on  its  findings. 

One  such  tool  is  Consul  InSight 
Security  Manager  from  Consul  Risk 
Management  Inc.  It  monitors  the  ac¬ 
tions  of  database  administrators  and 
other  employees  at  the  outsourcer,  as¬ 
sesses  whether  the  outsourcer’s  IT  in¬ 
frastructure  complies  with  the  custom¬ 
er’s  regulatory  requirements,  monitors 
database  access,  and  manages  logs  for 
network  and  security  devices. 

One  customer  deploys  the  Consul 
software  across  a  virtual  private  net¬ 
work  to  monitor  an  outsourcer  that 
manages  about  20,000  of  its  serv¬ 
ers.  Consul  presents  the  results  in 
the  form  of  20  to  30  custom  reports. 
When  an  auditor  asks  for  a  report  on 
change  management  violations  at 
the  outsourcer,  for  example,  the  cus¬ 
tomer  can  simply  hit  the  print  button 
on  the  product  to  generate  the  report, 
says  Marc  van  Zadelhoff,  Consul’s 
vice  president  of  marketing  and  busi¬ 
ness  development. 

Dashboards  summarizing  the  data 
gathered  by  such  tools  should  be  cre¬ 
ated  not  just  for  execu¬ 
tives,  but  also  for  vari¬ 
ous  management  levels 
within  the  customer, 
says  Guillermo  Kopp, 
a  vice  president  at 
TowerGroup,  a  research 
and  consulting  firm  in 
Needham,  Mass.  Executives  might 
need  “the  very  big  summary  say¬ 
ing  all  systems  are  go;  the  lights  are 
green,”  he  says,  with  only  network 
and  systems  managers  receiving  in¬ 
formation  about  specific  transactions. 

But  like  some  other  observers, 

Kopp  suggests  using  dashboards  “for 
a  sense  of  if  the  outsourcer  is  doing 
well,”  and  drilling  down  into  specif¬ 
ics  such  as  analyzing  firewall  or  ac¬ 
cess  logs  only  if  there’s  evidence  that 
the  outsourcer  is  failing  or  during  a 
periodic  audit. 

Ted  Julian,  vice  president  of  mar¬ 
keting  at  Application  Security  Inc.,  a 
vulnerability  scanning  and  monitor¬ 
ing  vendor,  says  regular  reports  on 
how  well  the  outsourcer  is  following 
the  customer’s  contractual  require- 


WORRIED  ABOUT  CYBERSPACE 


When  evaluating  or  managing  outsourcing  relationships,  how 
concerned  are  you  about  the  following  types  of  security  threats? 


Percentage  of  respondents  who 
answered  “very  important”: 

#!!fe  I  o/o  Theft,  misuse  or  dam¬ 
age  of  company  systems 
and  data  from  outside  the  out¬ 
sourcer  (such  as  system  hacking, 
viruses,  spyware  infiltration) 

°/o  Theft,  misuse  or 
damage  of  the  company 
systems  or  data  from  inside  the 
outsourcer 


Percentage  of  respondents  who 
answered  “very  important”: 

%  Theft  or  damage  of 
data  or  assets  via  com¬ 
promises  of  physical  security 

(break-ins,  vandalism) 

jpf*  %  Compromise  of 
operating  continuity 
because  of  external  factors 

(natural  disasters,  political 
instability) 


SOURCE:  BOOZ  ALLEN  HAMILTON  INC.  SURVEY  OF  158  EXECUTIVES.  MARCH  2006 


ments  for  patch  and  password  man¬ 
agement  “is  probably  more  important 
than  real-time  reporting”  from  the 
outsourcer’s  security  systems.  Track¬ 
ing  the  outsourcer’s  performance  on 
criteria  the  customer  set  beforehand, 
such  as  how  often  user  passwords 
must  be  changed  and  how  quickly  se¬ 
curity  patches  are  applied,  are  better 
indicators  of  whether  the  outsourc¬ 
er’s  security  performance  is  improv¬ 
ing  over  time,  he  says. 


BIGGEST  CHALLENGES 

Which  factors  present  the  big¬ 
gest  management  challenges  in 
evaluating  and  managing  secu¬ 
rity  in  outsourcing  relationships? 

D 

Establishing  effective  secu¬ 
rity  management  require¬ 
ments  in  the  contracts 

Monitoring,  auditing  and 
evaluating  vendor  compli¬ 
ance  with  an  established 
security  policy 

Evaluating  and  implement¬ 
ing  security  technology  and 
process  integration 

□ 

Acquiring  and  maintaining 
the  right  skills  and  capabili¬ 
ties  to  manage  security 

Determining  how  much  to 
invest  in  security  in  an  out¬ 
sourcing  relationship 

Delivering  effective  training 
in  policies  and  procedures  of 
outsourcing  providers 

Develop  Your  Own 
Security  Policies 

One  reason  many  customers  find  it 
hard  to  trust  their  outsourcers’  secu¬ 
rity  claims  is  that  different  standards 
bodies  promote  different  security  stan¬ 
dards  and  use  different  types  of  reports 
to  monitor  compliance  with  those  stan¬ 
dards.  The  lack  of  standards  “makes 
it  hard  to  compare  vendors  apples  to 
apples,”  says  Watson  Wyatt’s  Hunter. 

And  while  security  management 
and  monitoring  tools  are  improving, 
some  observers  say  it’s  still  too  hard 
to  get  an  overall  view  of  their  own 
security  situations  —  much  less  that 
of  an  outsourcer.  Hunter  uses  multiple 
tools  from  different  vendors  and  a 
third-party  scanning  service  to  moni¬ 
tor  the  security  of  his  applications. 

But  he  says  it’s  still  a  major  challenge 
to  get  a  single  view  of  all  the  vulner¬ 
abilities  within  all  systems  and  how 
changes  to  any  of  those  applications 
and  platforms  will  affect  the  security 
of  other  parts  of  the  IT  infrastructure. 

All  these  complexities  make  it  even 
more  important  for  customers  to 
develop  effective  security  policies  for 
themselves  before  they  try  to  deter¬ 
mine  how  good  a  job  an  outsourcer 
is  doing.  “You’ve  got  to  look  at  your 
own  security  processes,”  says  Watts, 
before  deciding  whom  to  outsource 
to  and  how  to  keep  an  eye  on  them.  ♦ 


Scheier  is  a  freelance  writer  in 
Boylston,  Mass.  He  can  be  reached 
at  rscheier@charter.net.  Additional 
reporting  by  Galen  Gruman. 


14  Next-Gen  IT  |  A  Series  From  the  Editors  of  Computerworld  and  CIO 


October  2006 


V- 


securey 


I  NDER  THE  Sarbanes- 
Oxley  Act  and  the 
European  Union’s 
data-protection  direc¬ 
tives,  you’re  respon- 
I  sible  for  any  security 
breaches  that  occur  —  both  yours  and 
your  outsourcer’s.  Fortunately,  many 
security  products  are  becoming  more 
economically  viable.  Retina  scans  and 
voice  recognition  are  now  feasible 
identification  tools.  Cryptographic 
hashes  used  for  data  encryption  (such 
as  SHA-1  and  Snefru)  are  growing 
stronger.  Statistical  anomaly  tech¬ 
niques  for  intrusion  detection  are  also 
improving.  Researchers  are  working 
on  systems  to  identify  people  by  odor, 
ear  shape,  hand  vein  patterns  and  gait. 

However,  even  the  most  advanced 
tools  won’t  protect  you  if  basic  secu¬ 
rity  procedures  are  not  in  place.  The 
2005  Computer  Security  Institute/ 
FBI  survey  reports  that  only  half  of 
corporate  security  breaches  fit  the 
stereotype  of  cybercriminals  using 
the  latest  James  Bond  tools  or  Defcon 
techniques.  The  other  half  origi¬ 
nate  inside  your  own  organization 
through,  for  example,  human  error, 
poor  procedures  or  employee  theft. 

Basic  security  controls  will  prevent 
most  security  breaches.  Make  sure 
your  outsourcer  takes  at  least  the 
following  steps: 

■  Conducts  background 
checks  on  all  employees.  Insider 
attacks  are  the  hardest  to  prevent. 

■  Disables  orphan  accounts 
promptly.  Passwords  and  e-mail  ac¬ 
counts  should  be  disabled  as  soon  as 
an  employee  leaves.  Although  this 
seems  obvious,  it  can  be  difficult  in 
organizations  with  decentralized 
security  management  systems  or 
where  many  outsiders  (contractors, 
researchers,  etc.)  are  granted  access. 

■  Establishes  a  physically  se¬ 
cure  environment.  Many  buildings 
require  entry  badges  but  can  be  eas¬ 
ily  entered  by  “tailgating”  employees 
who  hold  doors  open.  Server  centers 
are  often  in  buildings  subject  to  fires, 
floods,  earthquakes  —  or  roof  leaks. 

■  Secures  the  electronic  envi¬ 
ronment.  Easy  hacker  access  should 
be  eliminated  by  disabling  wireless 
networks  and  closing  any  open  ports. 
Make  sure  passwords  are  complex 


enough  to  be  secure  and  are  changed 
regularly.  (Many  employees  still  leave 
their  passwords  taped  to  their  moni¬ 
tors!)  Servers  and  data  should  be  vir¬ 
tualized.  Software  patches  must  be  ap¬ 
plied  regularly,  and  backup  files  should 
be  sent  to  a  secure  off-site  location. 

■  Develops  security  proce¬ 
dures.  Ensure  that  your  outsourcer 
complies  with  regulations  such  as  the 
Gramm-Leach-Bliley  Act  and  HIPAA 
or  industry  standards  such  as  PCI- 
DSS  for  credit  card  handling. 

■  Establishes  an  intrusion- 
detection  group.  The  Internet 


Engineering  Task  Force  is  develop¬ 
ing  a  common  format  for  tracking 
electronic  intrusions.  Monitor  its 
progress,  and  make  sure  the  eventual 
standards  are  adopted. 

Expect  your  outsourcer  to  provide 
basic  security;  consult  industry  as¬ 
sociations  such  as  BITS  or  universi¬ 
ties  such  as  Rutgers  for  checklists. 
Make  sure  security  controls  are 
specified  clearly  in  your  contract. 
Large  outsourcers  can  provide  ad¬ 
ditional  levels  of  security  —  at  ad¬ 
ditional  cost.  Carefully  analyze  your 
need  for  extra  security,  since  all  data 
is  not  equally  sensitive.  Balance  the 
cost  of  additional  security  against 
the  probability  and  cost  of  potential 
loss,  then  factor  in  your  company’s 
tolerance  for  risk. 

Security  considerations  are  critical 
to  successful  outsourcing  efforts.  Be¬ 
fore  you  sign  the  contract,  make  sure 
your  outsourcer  can  provide  security 
levels  that  match  your  organization’s 
needs.  Prevent  predators  from  lever¬ 
aging  small  security  mistakes  into 
enormous  and  costly  losses.  ♦ 


Perkins  is  managing  partner  at  Louis¬ 
ville,  Ky. -based  Leverage  Partners  Inc., 
which  helps  organizations  invest  well 
in  IT.  He  was  previously  CIO  at  Tricon 
Global  Restaurants  Inc.  and  Dole  Food 
Co.  Contact  him  at  BartPerkins@ 
LeveragePartners.com. 


October  2006 


A  Series  From  the  Editors  of  Computerworld  and  CIO  |  Next-Gen  IT  15 


U  I VI  I VI  U  IN  ion  I  I  IN  vc  I  the  value  of  IT  to  the 
Business  is  one  of  the  most  important  yet  challenging  obligations 


of  the  CIO. 


Join  more  than  420  of  your  colleagues  in  the  CIO  Executive  Council 
who  are  collaborating  on  issues  most  important  to  the  CIO  community  — 
and  who  have  begun  to  change  the  perceptions  of  IT  across  the  globe. 


Get  started  by  downloading  complimentary  tools  that  are  helping  to  shape 
the  standards  of  how  to  best  market  IT  to  the  business,  including  the  new 

IT  Internal  Marketing  Study  template  and  the  IT  Value  Matrix. 


To  download  these  tools  and  other  content  created  by  CIO  Executive  Coundil 
members,  please  visit  www.cioexecutivecouncil.com/it_value. 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


The  CIO  Executive  Coundil  is  the  world’s  first  professional  association  focused 
exclusively  on  the  CIO.  Founded  in  2004  by  the  readers  of  CIO  magazine, 
Council  members  are  committed  to  leveraging  the  individual  and  collective 
strengths  of  the  community  of  CIOs  to  advance  the  CIO  profession  and  its  role 
in  driving  shareholder  results  for  their  respective  organizations.  In  just  two  short 
years  the  CIO  Executive  Council  has  grown  to  more  than  420  CIOs  worldwide, 
repsenting  executive  leadership  in  organizations  with  approximately  $2  trillion 
(USD)  in  annual  revenues. 

For  information  on  membership,  please  visit  www.cioexecutivecouncil.com. 


Founded  bv 


Business 

Technology 

Leadership 


business  is  one  of  the  most  important  yet  challenging  obligations 
of  the  CIO. 


Join  more  than  420  of  your  colleagues  in  the  CIO  Executive  Council 
who  are  collaborating  on  issues  most  important  to  the  CIO  community  — 
and  who  have  begun  to  change  the  perceptions  of  IT  across  the  globe. 

Get  started  by  downloading  complimentary  tools  that  are  helping  to  shape 
the  standards  of  how  to  best  market  IT  to  the  business,  including  the  new 

IT  Marketing  Benchmark  Study  template  and  the  IT  Value  Matrix. 

To  download  these  tools  and  to  register  for  the  upcoming  teleconference  on 
the  IT  Marketing  Benchmark  Study  results  and  new  Marketing  Resource  Kit, 
please  visit  www.cioexecutivecouncil.com/it_value. 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


The  CIO  Executive  Council  is  the  world's  first  professional  association  focused 
exclusively  on  the  CIO.  Founded  in  2004  by  the  readers  of  CIO  magazine,  Council 
members  are  committed  to  leveraging  the  individual  and  collective  strengths  of  the 
community  of  CIOs  to  advance  the  CIO  profession  and  its  role  in  driving  shareholder 
results  for  their  respective  organizations.  In  just  two  short  years  the  CIO  Executive 
Council  has  grown  to  more  than  420  CIOs  worldwide,  representing  executive  leadership 
in  organizations  with  approximately  $2  trillion  (USD)  in  annual  revenues. 

For  information  on  membership,  please  visit  www.cioexecutivecouncil.com. 


Founded  by 


Business 

Technology 

Leadership 


Robert  Atkinson 


KEYNOTE 


person  who  makes  this  claim,  Katherine  Albrecht,  is  quoted 
by  the  media  and  invited  to  testify  at  government  hearings. 

The  Campaign  Against  IT 

Not  all  the  efforts  to  stifle  new  IT  succeed.  When  advocacy 
groups  decried  Google’s  Gmail  system  (through  which  consum¬ 
ers  get  free  e-mail  in  exchange  for  viewing  ads  based  on  their 
message  content)  as  a  threat  to  privacy,  Gmail  users 
ignored  the  alarm  because  they  recognized  Gmail 
poses  little  risk. 

But  on  other  issues,  the  digital  Luddites  are  hav¬ 
ing  more  success.  In  particular,  a  major  reason  the 
U.S.  government  does  not  require  driver’s  licenses  to 
be  secured  against  fraud  using  a  smart  chip  (which 
could  incorporate  biometric  data  such  as  a  finger¬ 
print)  is  that  privacy  extremists  have  engaged  in  a 
campaign  of  deception  to  convince  policy-makers,  the  press 
and  the  public  that  this  would  turn  America  into  a  “show  us 
your  papers”  state. 

Yet  none  of  the  bills  proposing  a  smart  driver’s  license  would 
have  changed  the  laws  governing  when  citizens  must  show 
identification  to  law  enforcement  officials.  Last  year,  Congress 
passed  the  Real  ID  Act,  which  requires  the  federal  government 
to  promulgate  technology  standards  for  driver’s  licenses.  But 
political  pressure  exerted  by  privacy  groups  makes  it  unclear 
whether  smart  driver’s  licenses  will  be  required. 

Now  the  privacy  activists  have  set  their  sights  on  stopping 
RFID.  A  visible  opponent  is  Albrecht,  who  heads  Consumers 
Against  Supermarket  Privacy  Invasion  and  Numbering  and 
is  author  of  the  anti-RFID  book  Spychips.  Albrecht  and  other 
RFID  opponents  seem  to  have  convinced  legislators  in  at  least 
five  states  that  RFID  should  be  curtailed.  While  none  of  the 
proposed  bills  has  been  enacted,  some  have  come  close. 

One  reason  these  bills  get  as  far  as  they  do  is  that  the  media 
has  failed  to  present  an  objective  view  of  privacy  issues  related  to 
RFID.  It’s  not  unusual  for  press  coverage  of  RFID  to  focus  almost 
exclusively  on  the  purported  privacy  threats,  without  examin¬ 
ing  the  validity  of  such  claims. 


Consumers  vs.  Chips 


For  more  about  the  debate  surround¬ 
ing  the  PRIVACY  IMPLICATIONS  OF 
RFID,  go  to  www.cio. com/100106 


Because  most  reporters  are  not 
technical  experts,  it  is  easy  for 
the  digital  Luddites  to  get  them 
to  fall  for  alarmist  fairy  tales. 

To  be  sure,  new  technologies 
pose  legitimate  concerns  (for 
example,  the  State  Department’s  initial  proposal  for  an  RFID- 
enabled  passport  failed  to  include  encryption  of  the  data  on  the 
chip).  But  by  trying  to  stop  new  technology,  rather  than  focusing 
on  putting  appropriate  rules  in  place  to  govern  its  use,  the  oppo¬ 
sition  is  hindering  needed  debate  about  how  to  get  the  benefits  of 
new  technology  while  protecting  individuals. 

Passionate  activists  are  not  the  only  digital  Luddites.  Busi¬ 
nesses  threatened  by  technology-based  competition  have 


sought  to  enlist  government  protection.  As  a  result,  the  big¬ 
gest  challenge  for  many  companies  trying  to  introduce  a  new 
digital  business  model  may  be  fighting  efforts  of  threatened 
competitors  to  stifle  online  competition. 

Because  of  the  lobbying  efforts  of  car  dealers,  it’s  illegal 
in  every  state  for  a  manufacturer  to  sell  a  car  directly  to  the 
consumer.  The  National  Association  of  Realtors  has  helped 


CIOs  need  to  recognize  that  some 
applications  that  seem  perfectly 
reasonable  may  spark  opposition 
from  threatened  interests  or  anti¬ 
technology  ideologues. 


full-service  real  estate  agents  push  for  state  laws  prohibiting 
online  discount  brokers.  The  Texas  Legal  Review  board,  made 
up  largely  of  attorneys,  banned  the  sale  of  the  software  pro¬ 
gram  Quicken  Family  Lawyer  on  the  grounds  that  Quicken 
was  engaged  in  unauthorized  practice  of  law.  (Luckily,  the 
Texas  legislature  overturned  the  ruling.) 

Take  Control  of  the  Debate 

It’s  too  easy  for  CIOs,  caught  up  in  the  business  benefits  of 
their  IT  systems,  to  fail  to  see  the  opposition  before  it’s  too 
late.  As  a  result,  as  CIOs  plan  their  organization’s  IT  future, 
they  would  be  well-advised  to  take  into  account  potential 
objections  from  digital  Luddites.  CIOs  need  to  recognize  that 
some  applications— even  those  that  seem  perfectly  reason¬ 
able  to  an  engineering  and  IT-centric  culture— may  spark 
spirited  opposition  from  threatened  interests  or  antitechnol¬ 
ogy  ideologues. 

What  can  CIOs  do?  Perhaps  the  most  important  thing  is 
to  preempt  the  neo-Luddites  by  defining  the  issue  your  way. 
RFIDs  do  not  have  to  be  “spychips,”  they  can  be  “consumer 
value  chips.”  Online  automobile  sales  do  not  have  to  be  a 
threat  to  car  dealers  but  an  opportunity  to  give  consumers 
more  choices  and  more  power. 

Meanwhile,  on  a  broader  level,  technology  executives  should 
get  involved  in  the  public  debate  about  IT  by  educating  the 
media  and  elected  officials  about  how  IT  works  and  about  its 
broad  societal  and  economic  benefits.  Perhaps,  like  the  follow¬ 
ers  of  Ned  Ludd,  today’s  digital  Luddites  will  be  consigned  to  a 
similar  fate  of  historical  irrelevance.  But  let’s  hope  that  happens 
before  too  many  digital  business  models  are  wrecked.  BE] 


Robert  Atkinson  is  president  of  the  Information  Tech¬ 
nology  and  Innovation  Foundation,  a  think  tank  based 
in  Washington,  D.C.  He  can  be  reached  at  ratkinson@ 
innovationpolicy.org.  To  comment  on  this  article,  go 
to  the  online  version  at  www.cio.com/100106. 


50  OCTOBER  1,  2006  |  www.cio.com 


Vibrant  color.  Superior  functionality. 


Wi 

i  ] 

he.  * 

Kyocera's  KM-C3232  Delivers  Across-the-Board  Productivity  for  Your  Team 

For  an  affordable  color  document  solution  that  maximizes  business  productivity,  harness  the  power  and  reliability  of  the  KM-C3232. 
At  32  color  or  black  and  white  pages  per  minute,  its  versatile  print,  copy,  scan  and  optional  fax  capabilities  combine  with  advanced 
finishing  options  for  compelling  business  communications.  The  KM-C3232  is  one  of  a  series  of  color  MFPs  designed  to  keep  your 
business  color  needs  in-house  and  within  budget.  Optional  Kyocera  software  solutions  maximize  your  hardware  investment.  It's 
everything  you  need  to  keep  your  document  communications  secure,  connected  and  brilliantly  productive. 

That's  the  power  of  People  Friendly.  Learn  more:  www.kyoceramita.com 


The  New  Value  Frontier 

$  K90CERa 


KYOCERA  MITA  CORPORATION.  KYOCERA  MITA  AMERICA,  INC.  ©2006  Kyocera  Mita  Corporation.  “People  Friendly,”  “The  New  Value  Frontier,”  the  Kyocera  “smile”  and  the  Kyocera  logo  are  trademarks  or  Kyocera. 


Cover  Story  |  Outsourcing 


The  boss  may  assume  that  outsourcing  is  the 
answerto  everything.  But  CIOs  can’t  afford  to 
assume  anything.  They  have  to  know. 


It’s  a  scenario  scary  enough  to  induce  night  sweats  in  even  the  steeli¬ 
est  CIO.  Your  CEO,  just  back  from  a  conference  in  Phoenix,  strides  into  your  office 
Yesterday,  he  played  golf  with  the  vice  president  of  sales  for  one  of  the  big  IT  ser¬ 
vices  companies  and  now  he’s  telling  you  that  this  company  could  take  over  most  of 
your  IT  functions  and  cut  your  company’s  IT  budget  in  half.  Not  only  that,  they  can 

deliver  better  services  levels.  After  all,  it’s  what  they  do! 

Our  business  isn’t  IT  anyway,  the  CEO  continues,  wax¬ 
ing  enthusiastic.  And  our  biggest  competitor  just  signed 
an  outsourcing  megadeal,  too.  Best  of  all,  there’s  no 
need  for  a  long,  drawn-out  RFP  process.  “Just  call  this 
guy  up  tomorrow,”  the  boss  says  with  a  big  smile,  slid¬ 
ing  a  blue-and-white  business  card  across  your  desk.  He’s 
doing  you  a  favor.  “It’s  practically  a  done  deal,”  he  con¬ 
cludes  happily. 


Reader  ROI 

::  Why  you  need  a 
sourcing  strategy 

::  When  it  pays  to  keep 
an  IT  function  in-house 

::  Howto  communicate 
your  message  to  the 


executive  suite 


TOBER  |l ,  2006 


www.cio.com 


To  make  his  outsourcing  deci¬ 
sions,  Henry  Schein  CTO  Jim 
Harding  says  he  puts  "a  ton 
time  into  benchmarking.” 


what  does  your  CEO  see? 


After  all,  the  closer  your  shared  vision,  the  greater  your  chance  for  success,  With  that 
in  mind,  we  spoke  to  765  CEOs  around  the  world  about  innovation,  collaboration  and 
other  key  issues.  Find  out  what’s  important  to  them  now,  what’s  coming  in  the  future  and 
what  it  all  means  for  you,  the  CIO.  Get  our  exclusive  report  featuring  their  uncensored 
views  and  opinions.  You  may  find  you  and  your  CEO  more  closely  aligned  than  ever. 


To  get  the  CIO  implications  report  based  on  the 
CEO  Study,  go  to  ibm.com/special/cio2 


Cover  Story  |  Outsourcing 

For  many  CIOs,  this  nightmare  is  neither  a  dream  nor  all 
that  uncommon.  But  unlike  most  dreams,  the  morning  after 
brings  consequences  that  are  all  too  real.  Outsourcing  a  par¬ 
ticular  function  within  IT— or  all  of  them— without  consider¬ 
able  study  can  have  disastrous  consequences  that  you,  not  your 
CEO,  will  have  to  solve. 

In  the  past  year  alone,  47  percent  of  companies  have  prematurely 
ended  an  outsourcing  arrangement,  according  to  research  by  Dia¬ 
mond  Management  and  Technology  Consultants.  Forty-three  per¬ 
cent  of  them  brought  the  work  back  in-house,  indicating  it  may  not 
have  been  a  good  decision  to  farm  out  the  function  in  the  first  place. 

“Outsourcing,  onshore  or  offshore,  if  not  done  right  or  done  for 
the  right  reasons,  can  tip  things  the  wrong  way,”  says  Chris  Jones, 
principal  of  consultancy  Source:Renaissance.  “It  can  have  negative 
effects  on  IT,  on  the  business  and,  ultimately,  your  customers.” 

Howto  Get  Ready  forthe  CEO 

Short  of  locking  the  executive  team  in  a  tower,  there’s  no  way  to 
prevent  them  from  falling  under  the  influence  of  high-pressure, 
enthusiastic  vendors.  Selling  is  what  vendors  do.  But  you  can 


Risky 

Business 

Costs,  quality  and  the  relationship  of  IT  to  the  overall  business 
strategy  are  critical  factors  in  deciding  whether  or  not  to  out¬ 
source.  But  other  nontangible  risks  must  be  factored  into  the 
business  case  as  well.  According  to  outsourcing  consultancy 
Ventoro,  they  include: 

Employee  impact  Outsourcing  can  affect  employee  morale  and 
productivity  in  the  short  and  long  term. 

Customer  impact  Decisions  to  outsource  may  have  a  negative 
effect  on  customer  opinion  and  ultimately  on  revenue. 

Partner  impact  An  outsourcing  deal  may  force  process  and  sys¬ 
tem  changes  on  other  vendors  with  whom  you  work. 

Laws  and  regulations  Outsourcing  can  affect  your  ability  to  com¬ 
ply  effectively  with  laws,  regulations  and  other  standards.  Compli¬ 
ance  in  an  outsourced  model  can  also  cost  more. 

Security  and  intellectual  property  protection  Outsourcing  can 
impact  system,  facility  and  data  security  and  may  increase  the 
potential  for  IP  theft,  fraud  or  other  problems. 

Business  continuity  and  termination  An  outsourcing  deal  that 
fails  can  interfere  with  day-to-day  operations. 

Performance  and  support  Outsourcing  can  affect  real-time  sys¬ 
tems  performance,  IT  support  costs  and  technology  integration. 

-S.O. 


ensure  you’re  not  backed  into  a  corner  on  a  decision  as  important 
as  outsourcing  a  portion  of  IT’s  portfolio.  How?  By  having  a  well- 
thought-out  and  clearly  articulated  IT  sourcing  strategy  already 
in  place  when  your  CEO  comes  knocking. 

“The  most  mature  IT  organizations  understand  the  whole 
of  their  operations.  They  have  good  metrics  to  track  costs  and 
service  levels.  They  know  the  different  points  in  the  enterprise 
that  could  affect  the  IT  operation  as  a  whole,”  says  Dane  Ander¬ 
son,  research  director  of  IT  services  and  sourcing  for  Gartner. 
“They  have  a  sourcing  strategy  already  pulled  together  to 
defend  against  misleading  or  poorly  thought-through  out¬ 
sourcing  decisions  long  before  the  big  ‘O’  word  even  comes 
down  from  on  high.” 

The  point  of  such  a  plan  is  not  to  build  an  a  priori  case 
against  outsourcing.  The  goal  is  to  gather  all  the  facts— such 
as  how  IT  fits  into  the  overall  business  strategy,  what  the  real 
costs  and  service  levels  are  internally,  how  they  compare 
with  the  outsourcing  market,  as  well  as  input  from  relevant 
business  constituents— to  create  a  fair-minded  framework 
for  making  the  best  sourcing  decision  in  any  situation.  “It’s 
much  better  to  proactively  investigate  the  sourcing  alterna¬ 
tives,”  says  Jeffrey  M.  Kaplan,  managing  director  of  con¬ 
sultancy  ThinkStrategies,  “than  to  find  yourself  reacting 
to  proposals  from  your  superiors.” 

Doing  all  this  takes  time  and  effort.  But  with  such  a  politi¬ 
cally  charged  decision  as  outsourcing,  such  a  plan  goes  a 
long  way  toward  keeping  emotion  out  of  the  debate.  “I  rec¬ 
ommend  that  every  CIO  build  an  internal  core  competency 
in  sourcing  decision  making.  This  way,  when  the  CEO  or 
CFO  says,  ‘I  just  spoke  to  EDS  or  BearingPoint  and  they  can 
do  all  this  for  me— why  shouldn’t  we  let  them  do  it?’  you  can 
say,  ‘Great  question!  Here’s  why,”’  says  Thomas  Koulopou- 
los,  executive  director  of  Perot  Systems  Innovation  Labs  and 
author  of  Smartsourcing. 

“And  if  the  question  hasn’t  been  asked  yet,”  Koulopoulos 
says,  “be  assured  it  will  be.” 

Tie  Sourcing  Strategy  to 
Business  Strategy 

Business  executives  have  their  own  motivations  when  it 
comes  to  outsourcing  IT  functions.  A  CEO  may  see  it  as  a 
chance  to  focus  internal  employees  on  core  competencies  or 
to  transfer  risk  to  a  vendor.  A  CFO  will  be  scouting  for  an 
opportunity  to  slice  30  percent  off  the  bottom  line. 

CIOs  can  have  good  reasons  not  to  outsource  a  certain 
function  at  a  particular  point  in  time.  The  trouble  is  that 
the  CIOs’  first  line  of  defense  tends  to  be  IT-centric,  which 
sounds  self-serving.  As  a  result,  says  Phil  Hatch,  founder  of 
sourcing  consultancy  Ventoro,  “they’re  not  getting  enough 
traction  [with  executives]  when  they  explain  what  might  be 
dangerous  about  outsourcing  a  certain  problem.” 

The  solution  is  to  create  a  sourcing  strategy  that’s  tied  to 


56  OCTOBER  1,  2006  |  www.cio.com 


ADVERTISEMENT 


CIO  EXECUTIVE  VIEWPOINT 

Centered  Outsourcing 

PwC  Advisory  explores  the  role  of  the  "Center  of  Excellence" 


Paul  Horowitz 

Principal  and  National  Leader  of  PwC  Advisory's  Outsourcing  Practice 

As  outsourcing  and  offshoring  morph  in  sheer  scale  and  complexity,  organizations 
struggle  to  get  more  out  of  their  initiatives  than  just  cost  savings.  Paul  Horowitz, 
principal  and  national  leader  of  PwC  Advisory’s  outsourcing  practice,  offers  learned 
insight  into  this  strategic  transaction,  with  specific  tips  for  leveraging  Centers  of 
Excellence  to  positively  impact  the  bottom  line. 


What  are  some  of  the  risks  that  can 
derail  an  outsourcing  or  offshoring 
initiative? 

There  is  a  whole  host  of  outsourcing  risks. 
Political  or  country  risk  is  number  one. 
While  one  country  may  be  the  lowest  cost 
provider,  it  may  not  be  the  lowest  risk 
option.  Organizations  need  to  consider 
the  trade-offs,  such  as  political  instability, 
corruption,  tax  implications  and  more. 
Then  there  is  contractual  risk,  which  often 
stems  from  improperly  defined  scopes  of 
work  and  unrealistic  expectations,  and 
cultural  risks,  which  have  to  do  with  lan¬ 
guage  skills  and  communications  protocol. 

Have  these  risks  changed  over  the  past 
five  years? 

For  one,  the  global  economy  has  opened 
doors  to  new  dependencies  and  threats. 
Also,  more  processes  and  mission-critical 
applications  are  going  offshore,  which  in¬ 
creases  the  overall  risk  profile.  Regulatory 
compliance  is  tightening,  while  terrorist 
threats  and  the  like  have  CIOs  think¬ 
ing  harder  about  disaster  recovery.  Most 
evident  is  the  changing  attitude  toward 


location  analysis  and  disaster  recovery.  But 
in  the  end,  the  onus  is  on  the  organization 
to  own  and  mitigate  outsourcing  risks. 

How  are  outsourcing  risks  best 
addressed? 

An  outsourcing  initiative  should  be  ap¬ 
proached  and  managed  like  any  other 
strategic  business  deal  -  meaning  it 
requires  the  same  rigor,  organizational 
muscle  and  governance  that  go  into 
mergers,  divestitures  or  other  strategic 
deals.  Also,  organizations  need  a  true  risk 
management  strategy  -  and  people  to  look 
after  it  -  because  the  rules  have  changed 
and  outsourcing  transactions  can  be  much 
more  complex  than  ever  before.  Finally,  get 
key  stakeholders  from  across  business  units 
engaged  in  the  process. 

What  are  some  of  the  best  practices  in 
outsourcing  governance? 

The  most  effective  way  to  manage  risk  is  to 
have  an  outsourcing  governance  program  in 
place  well  before  contracts  are  signed.  The 
singular  best  practice  for  translating  the 
governance  program  into  performance  is  to 


"In  the  past,  there  wasn't  a  tremendous  focus  on  risk  - 

outsourcing  was  just  a  cost-cutting  measure. 
Today,  it's  a  strategic  business  transaction 

that  can  impact  shareholder  value." 


risk.  In  the  past,  there  wasn’t  a  tremen¬ 
dous  focus  on  risk  -  outsourcing  was  just  a 
cost-cutting  measure.  Today,  it’s  a  strategic 
business  transaction  that  can  impact  share¬ 
holder  value. 

How  much  risk  gets  transferred  to  the 
service  provider? 

There  is  no  true  transference  of  risk. 
Whether  it’s  poor  customer  service  or 
failure  to  meet  SLAs  (service  level  agree¬ 
ments),  an  organization’s  brand  and 
reputation  are  on  the  line.  That  said,  we  do 
see  service  providers  doing  more  around 


establish  an  outsourcing  Center  of  Excel¬ 
lence.  This  is  an  internal,  cross-functional 
team  whose  charter  is  to  develop  and  man¬ 
age  outsourcing  processes.  It  is  responsible 
for  providing  a  framework  for  governance 
and  management  for  all  corporate  outsourc¬ 
ing  initiatives,  while  guiding  the  engage¬ 
ment  at  a  program  or  operational  level. 

What  must  CIOs  avoid  in  establishing 
these  Centers  of  Excellence? 

First,  don’t  approach  an  outsourcing 
project  without  involving  all  organizational 
stakeholders  -  business  units,  I IR,  finance, 


in  addressing  today's  outsourcing  risks. 


IT,  operations,  legal,  procurement,  etc.  The 
Center  of  Excellence  must  bring  that  cross¬ 
functional  “A-team”  together.  Second, 
if  outsourcing  is  viewed  as  just  a  cost¬ 
cutting  measure,  the  Center  of  Excellence 
will  not  have  the  authority  to  make  strategic 
recommendations.  Third,  don’t  jump  to  the 
“simple”  answer  by  choosing  the  lowest- 
cost  provider  or  immediatelv  opting  to  go 
offshore  -  let  the  Center  of  Excellence  use  its 
full  resources  to  justify  the  business  case. 

What  business  results  should  CIOs 
expect  from  their  Center  of  Excellence? 

With  a  solid  Center  of  Excellence,  outsourc¬ 
ing  transactions  are  smoother,  higher  value, 
and  implemented  faster  because  the  entire 
process  was  well  planned  and  well  managed. 


For  More  Information: 

Check  out  this  white  paper, 

“How  to  succeed  in  outsourcing 
through  strengthened  governance”, 
at  www.cio.com/ whitepapers/ pwc 

PrICEWATeRHOUsE(GOPERS  H 


Custom  Publishing 


Cover  Story  |  Outsourcing 


the  overall  business  strategy.  Sixty-five  percent  of  IT  orga¬ 
nizations  lack  a  sourcing  plan,  says  Anderson  of  Gartner. 
“And  those  that  do  have  a  document  collecting  dust.  It’s  like 
the  letter  to  shareholders  in  the  annual  report.  It’s  not  an 
actionable  document.  It  doesn’t  tell  you  how  these  decisions 
will  be  made.” 

A  good  sourcing  strategy  starts  with  the  goals  of  the  cor¬ 
poration  and  works  from  that  to  lay  out  the  objectives  for  IT. 
That  clear  connection  will  enable  the  CIO  to  create  a  decision 
framework  to  guide  sourcing  choices. 

How  Dow  Does  It 

Dow  Chemical’s  IT  leadership  hasn’t  been  bashful  about 
outsourcing— or  about  how  IT  sourcing  decisions  fit  into 
the  big  picture.  “At  Dow,  our  overall  vision  is  to  be  the  larg¬ 
est,  most  respected  chemical  company  in  the  world,”  says 
Mack  Murrell,  the  senior  director  of  information  systems 
and  office  facilities  for  the  $46.3  billion  chemical  company. 
“That  says  a  lot.” 

What  says  more  are  the  principles  the  company  follows 
to  achieve  that  goal.  “Everything  in  IT  aligns  to  one  or  more 
of  our  four  strategic  themes:  driving  financial  discipline, 
creating  sustainability,  focusing  on  people  and  investing 
for  growth,”  says  Murrell.  Keeping  those  principles  in  mind 
makes  sourcing  decisions  easier— and  easier  to  sell  to  the 
business.  Dow  outsources  between  60  percent  and  85  per¬ 
cent  of  IT  functions,  depending  on  the  workload  and  business 
cycle.  (Most  IT  investments  occur  during  profitable  peaks  in 
Dow’s  cyclical  business.) 

Dow  IT’s  sourcing  decisions  start  with  an  assessment  of 
skills  available  internally  and  externally.  Then  IT  can  hand 
an  activity  to  an  outsourcer,  augment  its  own  staff  or  do  a 
combination  of  the  two,  depending  on  the  task’s  strategic 
importance.  However,  core  activities  such  as  architecture, 
major  technology  decisions,  contract  management,  security 
and  senior-level  relationships  with  the  business  that  tie  into 
Dow’s  four  strategic  themes  stay  in-house. 

The  desire  to  drive  financial  discipline  led  Dow  to  sign  a 
10-year  deal  with  Hewlett-Packard  to  handle  its  global  help 
desk.  “We  don’t  have  to  spend  the  money  to  build  those  skills 
up  globally,”  Murrell  says.  “[HP  has]  much  more  scale  and 
they  can  worry  about  where  the  talent  pools  are  and  how  to 
make  the  financials  work.” 

At  the  same  time,  Dow  has  kept  its  mainframe  operations 
in-house,  even  though  that’s  an  area  a  lot  of  companies  out¬ 
source  without  a  second  thought.  “We  looked  at  it  because 
so  many  people  were  outsourcing  it,”  says  Murrell.  “But  we 
have  not  been  able  to  find  a  company  that  can  approach  what 
we  spend  today.”  Again,  the  theme  is  financial  discipline. 
Dow’s  internal  IT  resources  can  do  the  job  for  about  20  per¬ 
cent  less  than  the  leading  third-party  providers  and  the  key 
is  that  Murrell  knows  this,  has  researched  this  and  has  those 
numbers  at  his  fingertips. 


Don’t  Just  Say  No 

3  Ways  to  Answer  the  Outsourci  ng  Question 

So  what  do  you  do  if  your  CEO,  CFO  or  COO  docs  fall  under  the 
spell  of  a  vendor  salesman  and  asks,  “Why  the  heck  aren’t  we 
outsourcing  this?” 

A  defensive  or  emotional  response  will  only  hurt  your  case. 
Responding  in  a  calm,  fact-based  manner  is  your  best  bet  both 
from  a  political  and  an  effectiveness  standpoint.  "Position  it 
in  a  way  that  makes  it  clear  that  you’re  not  outright  opposed 
to  the  idea,”  says  Jeffrey  M.  Kaplan,  managing  director  of  IT 
consultancy  ThinkStrategies.  “If  you  go  into  self-preservation 
mode,  it  looks  bad." 

What  you  say  will  depend  in  part  on  how  prepared  you  are. 
Here  are  three  ways  to  respond  when  the  “0”  word  is  uttered. 

*  If  you  have  a  solid  sourcing  strategy  and  decision-making 
framework  in  place  and  an  accurate  understanding  of  costs, 
service  level  and  other  considerations,  you’ll  want  to  inform 
the  CEO  and  let  him  know  you’re  evaluating  the  options: 

“I’m  glad  you  asked.  Here's  the  framework  we’ve  created 
for  deciding  what  to  outsource  and  what  to  keep  in-house,  and 
this  is  how  it  ties  into  to  our  overall  business  goals.  We  don’t 
outsource  X  because  that  allows  us  to  do  A,  B  and  C  without 
the  risk  of  X  and  Y.  We’ll  review  our  overall  strategy  again  at 
the  end  of  this  fiscal  year  and  update  our  cost  and  service  level 
benchmarks.  We’ll  certainly  look  into  those  options.” 

■  If  you’re  developing  your  sourcing  strategy  and  getting 
a  handle  on  internal  and  external  costs,  service  levels,  and 
other  considerations,  you  want  to  get  buy-in  for  that  process 
and  buy  yourself  more  time  to  complete  it: 

“As  a  matter  of  fact,  we’re  taking  a  look  at  the  entire  IT 
operation  and  the  opportunities  that  might  exist  for  outsourc¬ 
ing.  We’re  using  a  very  specific  process  to  make  our  evaluation 
in  a  way  that  will  minimize  risks  and  optimize  benefits  for  the 
company.  This  is  our  time  frame  for  completing  the  process. 
May  I  show  you  what’s  involved?" 

■  If  you  have  not  yet  started  to  develop  an  overarching 
strategy  and  have  little  visibility  into  internal  and  external 
costs,  service  levels  and  other  considerations,  turn  this  into 
an  opportunity  to  do  so: 

“That’s  a  good  question.  What  I’d  like  to  do  is  take  a  look  at 
the  entire  IT  operation  and  the  opportunities  that  might  exist 
for  outsourcing.  It  would  take  about  X  months.  We  would  be 
using  a  very  specific  process  to  make  our  evaluation  that  will 
minimize  risks  and  optimize  benefits  for  the  company  rather 
than  jumping  into  something  we  haven’t  fully  evaluated.”  -S.O. 


58  OCTOBER  1,  2006  |  www.cio.com 


BT  brings  it  all  together: 

•  Network  Convergence 

•  Security  Services 

•  Mobility  Solutions 

•  IP  Contact  Centres 

•  Service-Oriented 
Infrastructures 

On  a  global  scale. 


Hackers  don’t  sign 
in  at  reception. 

Security  used  to  be  about  the  perimeter. 

Now  it’s  about  protecting  yourself  wherever  you 
do  business. 

BT  delivers  security  as  an  innovative  range  of 
consulting  and  managed  services  that  improve 
your  defences  while  controlling  costs. 

Our  security  experts  have  helped  design,  secure 
and  manage  some  of  the  world’s  most  complex, 
critical  infrastructures.  Because  in  the  digital 
networked  economy,  security  is  a  network  issue. 

Talk  to  us. 

www.  bt.  co  m/netwo  r  ked 


Bringing  it  all  together 


Cover  Story  j  Outsourcing 


Howto  Calculate 
theTrue  Costs  of 
Sourcing  Options 

Creating  a  business-driven  sourcing  strategy 
is  an  important  first  step.  But  an  apples-to- 
apples  comparison  of  what  it  costs  to  insource 
a  function  versus  outsourcing  it  must  be  fed 
into  that  framework.  Outsourcers  will  always 
claim  they  can  do  better  in  terms  of  costs  and 
service  levels  than  internal  IT— it’s  what  they 
do— so  building  a  case  against  outsourcing 
may  hinge  on  fact-checking  that  claim.  “You 
have  to  be  able  to  say,  ‘Here  are  our  actual 
costs  and  service  levels.  Here’s  what  the  pro¬ 
vider  can  offer.  Let’s  figure  out  what  makes  a 
good  case,”’  says  Gartner’s  Anderson. 

Many  IT  organizations  lack  a  true  under¬ 
standing  of  their  internal  costs  and  service 
levels.  “For  years,  the  business  put  money  into 
IT  because  that  was  the  cost  of  doing  business. 
But  now  they’re  asking  some  hard  questions,” 
says  Koulopoulos.  “Unfortunately,  the  costs  are 
often  buried  and  there  are  no  benchmarks.” 

Guesstimates  won’t  do.  To  make  a  case  for  or 
against  outsourcing  an  IT  function,  CIOs  must 
know  at  a  granular  level  how  much  their  com¬ 
pany  spends  on  it  internally.  “You  have  to  do 
it  based  on  actual  IT  expenditures,  not  budget 


Dow’s  focus  on  growth  led  to  Murrell’s  decision  to  insource 
the  bulk  of  the  application  development  work  he  once  sent  to 
Shanghai.  The  Chinese  market  is  an  important  growth  opportu¬ 
nity  for  Dow.  Outsourcer  Accenture  is  involved  in  Dow’s  Shang¬ 
hai  development  shop,  but  the  majority  of  employees  work  for 
Dow.  “It  was  an  opportunity  to  hire  people,  get  to  know  China 
and  be  ready  for  doing  more  business  there.  Meanwhile,  they 
are  learning  Dow  work  processes  as  they  work  on  IT  projects,” 
says  Murrell.  “Our  partnership  with  Accenture  has  been  very 
helpful  in  that  process,  but  we  identified  and  are  driving  that 


opportunity,  not  the  other  way  around.” 

“What  Dow  has  done  is  not  unique,"  says  Jeanne  Ross,  prin¬ 
cipal  research  scientist  at  MIT’s  Center  for  Information  Systems 
Research.  “But  it’s  clearly  articulated.”  It  doesn’t  guarantee  suc¬ 
cess,  of  course.  In  2004,  Dow  ended  a  seven-year  networking  deal 
with  EDS  three  years  early  (Dow  transferred  that  work  to  IBM 
because  it  thought  IBM  “could  provide  more  long-term  value”). 

Problems  may  occur  in  the  course  of  any  outsourcing  rela¬ 
tionship  but  a  sourcing  strategy  ensures  that  initial  decisions 
are  made  in  the  context  of  where  the  business  is  headed.  “It 
provides  a  common  language  that’s  under¬ 
stood  across  the  company,”  says  Murrell.  At 
Dow,  the  four  driving  principles  are  beat  like 
a  drum  from  the  CEO  on  down.  But  that’s 
not  true  in  all  organizations.  At  those  com¬ 
panies,  the  CIO  must  engage  the  business  in 
conversations  about  the  company’s  core  mis¬ 
sion  and  how  IT  can  best  help  achieve  it.  “If 
you  don’t,  you’re  at  huge  risk  and  so  is  the  IT 
group,”  says  Koulopoulos  of  Perot  Systems. 
“Someone  will  come  around  and  say,  ‘Why 
don’t  we  outsource  everything  in  IT?”’ 


60  OCTOBER  1,  2006  |  www.cio.com 


PHOTO  BY  PETER  MURPHY 


Leaders  Wanted/CIO  Challenge  Series 


Challenge  #2: 

Turn  a  thousand  versions  of  your  numbers  into  one. 


Solution: 

Hyperion — your  management  system  for  the  global  enterprise. 

It’s  hard  to  see  the  insight  in  the  numbers  when  they  come  from  a  thousand 
different  spreadsheets  and  dozens  of  business  intelligence  tools.  That’s  why 
the  world’s  leading  CIOs  and  CFOs  turn  to  Hyperion.  With  Hyperion* System  "9, 
you  can  dramatically  simplify  the  management  of  master  data  and  insure 
data  quality  across  all  enterprise  systems — analytical  and  financial 
applications,  transactional  systems,  data  warehouses,  and  more.  So  you  can 
deliver  numbers  that  inspire  confidence.  And  insights  that  inspire  action. 


FREE  ARTICLE  FROM  HARVARD  BUSINESS  REVIEW 
How  do  other  IT  leaders  deliver  financial  clarity  and 
business  intelligence?  Discover  new  insights  and  best 
practices  from  the  Harvard  Business  Review  and  Hyperion. 
Co  to  www.hyperion.com/go/numbers 


#  Hyperion™ 

The  future  in  sight 


©  2006  Hyperion  Solutions  Corporation.  All  rights  reserved.  "Hyperion  "  the  Hyperion  logo,  and  Hyperion’s  product  names  are  trademarks  of  Hyperion.  References  to  other  companies  and  their  products 
use  trademarks  owned  by  the  respective  companies  and  are  for  reference  purpose  only. 


Port 


11  ■ 

m 

pa 

■  ml 

I 

c 

Dag! 

^JELiTa 

mm  £*& 

JUj 

l  u  _ 

mb  m§k  1  - 

h  -  flj 

j  •Ss’lSj*  1  j  '  ^ . i 

1 

•  i 

j 

si 

1 

j 

Cover  Story  |  Outsourcing 


performance.  Even  labor  costs  at  the  macro  level  aren’t  good  enough 
because  one  developer  may  be  doing  work  in  several  different  areas,” 
says  Harry  Wallaesa,  founder  of  IT  consultancy  The  W  Group. 

Better,  Faster  and 
Cheaper  at  Vanguard 

Jeff  Dowds,  IT  principal,  systems  integration,  who  is  in  charge  of 
delivering  IT  services  for  three  of  Vanguard’s  four  lines  of  busi¬ 
ness,  was  always  clear  about  the  fact  that  the  company’s  business 
strategy  drives  his  IT  sourcing  decisions.  But  if  you’d  asked  him 
two  years  ago  about  the  service  levels,  costs  and  productivity  of 


the  mostly  insourced  IT  department,  he  couldn’t  have  told  you.  It 
was  a  tricky  place  to  be  for  an  IT  executive  overseeing  an  internal 
development  staff  of 1,600,  even  as  competitors  were  doing  more 
and  more  outsourcing. 

It’s  easy  to  see  why  IT  went  the  do-it-yourself  route  at  Van¬ 
guard.  The  mutual  fund  company  operates  virtually,  and  tech¬ 
nology  is  the  link  between  the  business  and  the  customers.  “We 
wouldn’t  outsource  all  of  our  technology  any  more  than  we’d 
outsource  our  money  management,”  Dowds  says. 

But  one  of  Vanguard’s  strategic  objectives  is  to  keep  costs 
low.  If  IT  couldn’t  prove  it  was  doing  better  than  an  outside 
provider,  the  decision  to  eschew  outsourcing  could  come  into 
question.  “Delivering  custom-built  technology  in-house  is 
expensive  and  we  pay  a  premium  doing  that  work  in-house 
and  onshore.  But  we’re  always  interested  in  being  better,  faster, 
cheaper,”  says  Dowds. 

In  2004,  Dowds  started  to  laser  in  on  costs  and  quality  met¬ 
rics.  He  knew  he  was  probably  paying  a  premium  to  keep  devel¬ 
opment  in-house  and  needed  to  validate  that  investment  with 
returns  like  developer  productivity  and  software  quality.  But  “it 
was  a  struggle  to  figure  out  how  to  best  measure  it  and  get  the 
accounting  right,”  says  Dowds.  “We  have  to  do  it  a  consistent  way 
to  justify  our  choice  to  keep  development  in-house.” 

As  for  costs,  he  says,  “we  don’t  cost  account  ourselves  to  death,” 
he  says.  For  each  project,  Dowds  multiplies  the  hourly  cost  for 
developers  times  the  number  of  developer-hours  required  and 

62  OCTOBER  1,  2006  |  www.cio.com 


tacks  on  an  additional  15  percent  for  infrastructure  costs  (say, 
additional  Unix  processing  horsepower  or  increased  storage) 
and  another  15  percent  for  the  businesspeople  who  work  with 
IT  on  the  project.  “I  don’t  want  to  say  it’s  precise,”  says  Dowds, 
“but  it  works  well.” 

The  data  has  enabled  IT  to  justify  its  sourcing  decisions  to  the 
business  and  stave  off  pressure  to  offshore  application  develop¬ 
ment.  “IT  is  the  biggest  cost  to  the  business  and  we  don’t  get 
a  free  pass,”  says  Dowds.  “We  have  a  Vanguard  governance 
group  at  the  most  senior  level  and  they  will  challenge  IT  on  how 
it  sources  development.  We  have  been  able  to  show  them  what 
our  costs  and  productivity  are  and  how  we  can  manage  them 
better.  Outsourcing  is  not  the  only  way  to  drive  IT  costs  down. 
We  can  be  more  efficient  and  more  productive.” 

When  it  comes  to  outsourcing,  Dowds  would  never  say 
never,  though.  Ten  years  ago,  Vanguard  outsourced  its  LAN 
administration  in  order  to  cut  costs.  Four  years  ago,  Dowds 
brought  that  work  back  in-house  for  the  same  reason.  In  both 
cases,  the  sourcing  decision  achieved  the  desired  effect.  “If  we 
discovered  that  our  competitors  were  substantially  lowering 
their  costs  by  outsourcing  and  closing  the  gap  in  a  material 
way,  we’d  have  to  reexamine  our  decision,”  he  says. 

Meanwhile,  Dowds  displays  fiscal  responsibility  by 
employing  cheaper  contract  labor  (which  usually  amounts 
to  8  percent  of  IT’s  total  labor  pool)  that  he  can  shed  when 
times  get  tougher.  “That  way,  [the  business]  is  not  asking, 
When  is  IT  going  to  wake  up  and  outsource  like  everyone 
else?”’  Dowds  says.  Thus  far,  there  hasn’t  been  a  case  where 
insourcing  development  was  so  expensive  or  counterproductive 
that  Dowds  couldn’t  build  a  business  case  for  it. 

“You  don’t  ever  want  to  get  yourself  into  a  position  where  you 
have  to  outsource  because  you’re  not  good  at  what  you  do,”  says 
Dowds.  “You  do  it  because  there  are  other  reasons  in  the  busi¬ 
ness  that  drive  you  there.” 

$100,000  Wei  I  Spent 

At  Henry  Schein,  economics  weighs  heavily  in  outsourcing  deci¬ 
sions.  “We  put  a  ton  of  time  into  benchmarking,”  says  CTO  and 
Senior  VP  Jim  Harding,  who  spends  between  $50,000  and 
$100,000  annually  on  consulting  services  to  compare  internal 
costs  and  service  levels  to  those  of  major  competitors  and  third- 
party  providers. 

Harding  has  done  limited  outsourcing  as  IT’s  internal  costs  and 
quality  have  mostly  held  their  own,  even  in  areas  that  might  not 
seem  core  to  the  $4.6  billion  distributor  of  dental  supplies.  In  fact, 
Harding  chose  not  to  outsource  the  help  desk  (which  consists  of 
a  staff  of  six,  supplemented  with  interns)  because  no  outsourcer 
could  touch  his  actual  costs,  which  were  20  percent  to  30  percent 
lower  than  third-party  providers  charged  for  the  same  service. 

He  did  look  seriously  at  outsourcing  his  data  center  and  went 
through  the  bidding  process  just  to  find  out  what  the  actual 
offers  were  from  vendors.  Their  proposals  were  too  pricey.  “We 
weren’t  going  to  save  any  money  doing  it,”  says  Harding.  “And  in 


You  don’t  ever  want  to  be  in 
the  position  where  you  have 
tooutsource  because  you’re 
not  good  at  what  you  do.” 

-Jeff  Dowds,  IT  principal,  Systems  Integration,  Vanguard 


ADVERTISEMENT 


ONGROUND 


STRIKING  A  BALANCE  BETWEEN  DATACENTER  REALITIES  AND  BUSINESS  DEMANDS 


“Deal  with  it.”  That  is  the  stark  reality  facing 
the  vast  majority  of  CIOs  who  confront  hybrid 
or  highly  mixed  data  center  environments. 

These  are  characterized  by  multiple  server  vendors, 
multiple  storage  vendors,  and  even  multiple  operat¬ 
ing  system  and  tools  vendors.  Deal  with  it  they  must, 
because  the  heterogeneous  world  is  here  to  stay  for 
the  foreseeable  future. 

Just  how  “mixed  up”  are  today’s  data  centers? 
Research  shows  that  a  typical  enterprise-class 
organization  has  an  average  of  nearly  three  storage 
hardware  vendors,  three  server  hardware  vendors, 
more  than  three  server  operating  systems,  and 
more  than  1,000  servers  scattered  throughout  the 
organization. 


more  of  their  budget  focusing  on  innovation  and 
strategic  projects  and  less  on  operations  and 
administration. 

It  is  a  classic  Catch-22  situation:  CIOs  can’t  under¬ 
take  strategic  projects  with  data  center  operations 
unless  they  are  optimized  for  peak  performance, 
and  spending  to  achieve  peak  performance  in  a 
heterogeneous  environment  drains  IT  resources  that 
otherwise  would  go  toward  innovation. 

Fortunately  there  are  strategies  for  dealing  effective¬ 
ly  with  the  reality  of  hybrid  data  centers  -  strategies 
that  can  and  do  have  the  impact  of  reducing  IT  over¬ 
head  so  resources  can  be  liberated  and  redeployed 
toward  innovation.  One  such  strategy  aggressively 
targets  the  multiplicity  of  software  tools  vendors  to 
simplify  the  software  management  infrastructure. 


In  a  case  of  less  being  more,  harnessing  the  potential 
of  tools  that  are  largely  hardware-agnostic  can  mark¬ 
edly  reduce  IT  training  costs  and  overall  mainte¬ 
nance  costs  as  well.  The  gains  come  from  replacing 
multiple  IT  specialists  for  multiple  tools  with  stan¬ 
dardized  approaches  to  maintaining  the  software 
infrastructure.  This  is  an  approach  lauded  by  IDC 
and  other  experts  as  an  effective  means  of  reducing 
data  center  complexity  and  ultimately  helping  better 
align  IT  with  the  goals  of  the  business. 


Ironically,  another  name  for  the  hybrid  type  of  data 
center  is  “best  of  breed,”  which  no  doubt  brings  a 
sardonic  grin  to  many  CIOs.  After  all,  the  challenges 
of  managing  a  mixed  environment  is  taxing,  draining 
valuable  IT  resources  away  from  more  strategic  or 
innovative  projects  at  a  time  when  CIOs  are  tasked 
with  doing  more  to  advance  the  core  mission  of  the 
organization. 

GOT  TO  KEEP  THE  TRAINS  RUNNING 

But  maintaining  the  infrastructure  to  assure  base¬ 
line  service  levels  to  users  usually  takes  precedence 
over  innovation,  as  it  must.  The  result  is  predictable. 
A  recent  survey  by  IDG  Research  of  subscribers  to 
CIO  Magazine  shows  that  most  CIOs  ideally  want 


GO  TO  www.cio.com/whitepapers/symantec 

now  to  obtain  a  free  download  of  Taming  The 
Hybrid  Beast:  Strategies  for  CIOs  to  Reduce 
Operational  Overhead  and  Focus  More  on 
Innovation.  Based  on  a  major  research  sur¬ 
vey  by  IDG  Research  Services  and  inter¬ 
views  with  data  center  experts,  this  just- 
released  white  paper  is  designed  to  help  CIOs 
rationalize  the  mixed  hardware  and  software 
environments  that  characterize  the  corporate  IT 
world  today.  It  also  offers  sensible  and  immedi¬ 
ately  useful  advice  for  driving  out  excess  over¬ 
head  and  putting  the  force  of  IT  muscle  behind 


innovation. 


Symantec 


OO 


Custom  Publishing 


Cover  Story  |  Outsourcing 

the  worst  case,  you  could  end  up  in  a  situation  where  you  want 
an  extra  extension  cord,  and  according  to  the  contract,  it’ll  cost 
an  extra  $40,000.” 

That  happened  when  he  outsourced  support  of  the  Henry 
Schein  business  unit  that  sells  computer  and  networking 
equipment  to  doctors  and  dentists.  “They  wanted  to  take  over 
the  facilities  and  the  people  but  still  keep  it  here  at  our  site,” 
says  Harding.  “And  it  ended  up  costing  us  more  because  they 
nickled  and  dimed  us  to  death.  We  cut  our  costs  significantly 
by  bringing  it  back  in-house.” 


When  Not  to 

Outsource 


could  be  all  kinds  of  changes  or  unknowns  downstream.” 

Getting  a  handle  on  costs  and  quality  is  a  good  first  step.  But 
there  are  other  less  tangible  risks  that  should  be  factored  into 
any  sourcing  case.  At  Vanguard,  data  security  has  become  a  huge 
consideration  in  the  decision  not  to  outsource.  Dowds  is  consider¬ 
ing  whether  to  proceed  with  a  managed  service  deal  for  that  very 
reason.  At  Henry  Schein,  there’s  not  much  outsourcing  going  on 
anywhere  because  the  company  has  been  able  to  leverage  its  cen¬ 
tralized  shared  service  model  to  great  financial  advantage,  so  a 
sudden  move  to  outsource  major  portions  of  IT  could  have  a  nega¬ 
tive  effect  on  the  corporate  culture  or  employee  morale. 

“There  are  things  like  impact  on  employees,  public  opin¬ 
ion,  intellectual  property  protection,  compliance— [things] 
you  may  not  be  able  to  apply  an  accurate  numeric  value  to— 
that  should  be  factored  into  the  business  case,”  says  Hatch  of 
Ventoro.  (See  “Risky  Business,”  Page  56.) 


10  signs  you  might  want  to  keep  an  IT  function  in-house 


1.  Your  company  is  going 
through  rapid  or  dramatic 
change. 

2.  You  already  have  a  low- 
cost  IT  environment. 

3.  Your  sole  rationale  is  cost 
savings. 

4.  You  don’t  have  an  overall 
sourcing  strategy. 


6.  You’re  doing  it  because  senior 
executives  are  forcing  you  to. 

7.  You  don’t  understand  inter¬ 
nal  IT  costs  and  quality. 

8.  You’re  outsourcing  because 
the  competition  is  doing  it. 

9.  You'd  have  to  transfer  a  sig¬ 
nificant  amount  of  knowledge 
that’s  core  to  the  business. 


5.  You  don't  have  the  internal  10.  You're  not  clear  about  the 
competency  or  a  plan  to  overall  business  strategy 

manage  the  outsourcer.  and  how  IT  fits  into  it.  -S.O. 


Money’s  not  the  only  factor  driving  Harding’s  decision  not 
to  outsource.  Less  tangible  issues  are  factored  in.  “Just  because 
[the  vendors]  do  it  for  a  living  doesn’t  mean  they  do  it  any  bet¬ 
ter.  Nobody  cares  about  our  people  like  we  do,”  says  Harding. 
“To  give  that  over  to  IBM,  we’d  have  to  pay  their  higher  rates 
and  risk  losing  those  service  levels.” 

It’s  a  lesson  he  learned  the  hard  way.  At  a  previous  com¬ 
pany,  Harding  hired  an  outsourcer  to  provide  data  recovery 
services.  One  day,  the  power  went  out.  “Their  uninterruptible 
power  supply  didn’t  work  and  our  machines  went  down,”  says 
Harding.  “And  they  were  the  so-called  experts.” 


Why  Money  Isn’t  Everything 

Incorporating  unpredictable  or  less  quantifiable— but  equally 
expensive— costs  or  benefits  into  a  case  against  outsourcing 
is  critical.  “Once  you  have  the  numbers,  you  have  to  address  a 
series  of  risks.  The  transition  to  the  outsourcer  could  take  longer, 
supplier  productivity  may  not  be  as  good  as  advertised  and  you 
may  see  less  savings,”  says  Jones  of  Source  Renaissance.  “There 


64  OCTOBER  1,  2006  |  www.cio.com 


Bringthe  Business  In 

Twenty  years  ago  at  the  dawn  of  the  outsourcing  age,  decisions 
about  handing  tech  functions  over  to  a  third  party  were  made 
solely  by  the  IT  department,  with  no  input  from  the  business. 
During  the  megadeal  days  of  the  1990s,  the  pendulum  swung 
in  the  opposite  direction,  with  the  business  foisting  outsourc¬ 
ing  deals  on  IT.  Today,  we’re  somewhere  in  the  middle.  “The 
ideal  situation  would  be  to  make  the  sourcing  decision  pro¬ 
cess  a  collaborative  one  involving  relevant  stakeholders,”  says 
Gartner’s  Anderson. 

At  Henry  Schein,  Harding  engages  the  business  in  the  process 
to  protect  himself  from  sending  more  work  offshore  than  he’s 
comfortable  with.  For  instance,  when  it’s  time  for  auditing  inter¬ 
nal  IT  costs  and  working  with  external  consultants  on  bench¬ 
marking,  Harding  involves  the  finance  department.  “I  bring 
them  in  and  have  them  look  at  it  and  add  their  own  analysis  as 
to  whether  it’s  a  fair  benchmark,”  he  says.  “It  provides  a  good  check 
and  balance  for  IT,  and  it  lends  some  credibility  to  the  numbers.” 

He  also  publicizes  internal  costs  and  service  levels  monthly, 
explaining  what  the  results  mean  in  business  terms,  both  in 
one-on-one  meetings  with  the  C-level  suite  and  in  IT  steering 
committee  conferences.  “As  long  as  your  costs  are  competitive 
and  you’re  delivering  well,  there’s  no  pressure,”  says  Harding. 
“If  those  start  to  fail,  they’ll  start  to  say,  ‘Why  don’t  we  bring  in 
some  outside  experts?”’ 

If  there’s  a  problem  with  internally  delivered  IT  services, 
Harding  is  quick  to  communicate.  “It  can  be  as  insignificant 
as  an  issue  with  e-mail  or  as  bad  as  an  AS/400  core  processor 
going  down.  We  issue  a  code  red  and  report  on  it  at  the  end  of 
the  month,”  says  Harding.  “If  it’s  something  really  critical,  I’ll 
call  the  chairman  myself.” 

Harding  believes  the  best  defense  is  a  good  offense.  He 
learned  this  at  Mobil  Oil  in  1985  during  the  first  outsourcing 
gold  rush.  “We  made  all  the  classic  mistakes,”  he  says.  “The 
business  was  making  the  decision,  IT  didn’t  understand  our 
own  costs,  and  we  outsourced  every  Continued  on  Page  69 


/  a 


_DAY  45:  These  underutilized  storage  boxes  have 
proliferated  exponentially.  We  doomed  ourselves 
by  locking  too  many  devices  to  specific  I.T. 
functions.  Now  we’re  trapped  in  a  storage  maze 
of  our  own  creation. 

_DAY  47:  I  tried  to  give  Gil  a  boost  over  this 
wall,  but  he  pulled  a  hammie. 

_DAY  48:  If  we  ever  get  out  of  here,  I’ve  vowed 
to  use  storage  virtualization  from  IBM.  Proven 
technology  to  simplify  our  disparate  storage 
resources. 

_P.S.:  I  may  have  to  leave  Gil  behind,  despite 
my  motto:  Leave  no  coworker  behind. 


**  itffc 


TAKE  BACK  CONTROL  of  your  data  with  IBM  System  Storage .™ 

Control  productivity.  The  IBM  System  Storage  SAN  Volume 
Controller  (SVC)  simplifies  your  storage  universe.  Now  you  can 
manage  your  IBM  and  non-IBM  storage  from  a  single  point  of  control? 

Control  utilization.  IBM  virtualization  technology  helps  move 
you  beyond  the  typical  30-50 percent  utilization  by  combining  your 
storage  capacity  from  many  disk  arrays  into  a  single  resource. 

Control  costs.  The  IBM  SAN  Volume  Controller  brings  enterprise- 
level  capabilities  to  midrange  storage,  which  can  save  you  as  much 
as  40  percent.2 

Control  flexibility.  SVC  suppods  a  wider  range  of  disk  systems 
than  other  major  vendors,3  so  it  works  with  the  storage  technology 
you  already  have  in  place. 

Control  results.  IBM  gives  you  proven  virtualization.  And  unlike 
EMC,  IBM  has  fourth-generation  experience  and  over 2000 installed 
customers. 


Z 


IBM.COM/TAKEBACKCONTROL/STORAGE 


St0-se  solutions  may  require  purchase  of  more  than  one  product  to  implement  these  capabilities  and  may  not  be  available  on  pictured  product.  'For  host  and  storage  systems  supported 
by  SVC,  go  to  ibrmcom/servers/storage/software/virtualization/SVC/interop.html.  Storage  price  comparison  based  on  cost  per  megabyte  between  midrange  and  enterprise  storage, 
defers  to  EMC,  HP  and  HDS.  IBM,  the  IBM  logo,  System  Storage,  and  Take  Back  Control  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the 
United  States  and/or  other  countries.  Other  company,  product,  and  service  names  may  be  trademarks  or  service  marks  of  others.  ©2006  IBM  Corporation.  All  rights  reserved 

'  -  \  '  f.  i  V'  .  y-  a 


. 


t».». > 


Continued  from  Page  64 

single  thing  that  was  not  ‘core.’”  The  result?  “We  ended  up  tak¬ 
ing  it  all  back  in-house.” 

The  lesson  for  Harding  was  to  involve  the  business  early  and 
often  not  only  in  sourcing  decisions  but  in  monitoring  how  well  IT 
is  delivering  so  the  business  leaders  don’t  have  the  impetus  to  seek 
other  sourcing  options  on  their  own.  When  Steve  Brown  was  CIO 
of  Carlson  Companies,  the  $8.4  billion  travel,  hospitality  and  mar¬ 
keting  conglomerate,  he  was  selective  about  outsourcing.  Hired  in 
2000,  he  knew  that  Carlson’s  margins  were  slim,  and  anything  he 
could  do  to  ease  the  margin  pressures  would  help. 

After  close  examination,  Brown  decided  the  best  way  to  pro¬ 
vide  low-cost  and  high-availability  IT  services  to  the  business 
was  to  keep  most  of  IT  in-house  as  he  transformed  the  decentral¬ 
ized  IT  function  into  a  shared  services  organization.  But  he  made 
certain  the  businesses  within  Carlson  understood  not  only 
why  he  did  not  outsource  more  but  also  how  that  decision 
benefited  them.  He  created  a  catalog  of  85  services  IT  pro¬ 
vided,  each  benchmarked  against  “best  in  class”  providers. 

“That  allowed  me  to  make  sure  I  was  provisioning  services 
that  were  best  in  class  from  a  quality  and  cost  point  of  view,” 
says  Brown,  who  left  Carlson  in  2005.  The  one  area  where  he 
couldn’t  compete  was  printing  and  document  management, 
which  he  handed  off  to  Xerox. 

Brown  knew  how  important  every  dollar  was  to  each  of 
the  company’s  businesses.  So  he  took  his  services  catalog 
and  benchmarking  and  drilled  down.  He  compared  the  IT  for 
the  hotel  businesses  to  best  in  class  hotels.  He  compared  the 
marketing  business’s  IT  costs  to  best  in  class  marketers.  “It’s 
important  not  just  to  benchmark  but  to  be  able  to  talk  to  the  busi¬ 
ness  in  the  terms  that  are  meaningful  to  them,”  Brown  says. 

He  also  tailored  presentations  to  the  CEO,  CFO  and  COO,  mak¬ 
ing  it  a  habit  to  point  out  where  service  or  costs  were  less  than 
stellar  and  explaining  how  that  might  be  solved  either  internally 
or  through  a  third-party  provider.  “You  have  to  own  all  the  facts 
and  that  allowed  me  to  have  a  very  meaningful  conversation  with 
the  business  about  IT  and  enabled  them  to  be  an  informed  part 
of  the  decision-making  process,”  says  Brown.  “It  transformed  it 
from  the  typical  conversation  you  have,  which  is,  ‘We  need  to  cut 
some  costs.  Let’s  cut  it  out  of  IT.’” 

When  executives  asked  about  the  possibility  of  sourcing 
some  application  development  offshore,  he  could  tell  them,  “‘I’m 
already  looking  more  deeply  into  that  and  here’s  what  I’ve  found 
so  far.’  They  knew  I  was  looking  at  every  aspect  of  IT  all  the  time. 
That  created  trust.” 

The  Best  Laid  Plans 

A  CIO  can  be  proactive  about  creating  a  sourcing  strategy  that’s 
closely  aligned  with  the  business  strategy,  diligent  in  assessing  the 
costs,  service  levels  and  other  factors  necessary  to  make  informed 
comparisons  between  sourcing  options,  and  politically  savvy  about 
involving  the  business  every  step  of  the  way,  yet  the  decision  may 
still  be  made  to  outsource  an  IT  function. 

That  happened  at  Carlson,  where  last  year  the  company  signed 


Cover  Story  |  Outsourcing 

a  major  outsourcing  deal  with  IBM  to  handle  selected  IT  and 
finance  functions.  Brown  lobbied  against  the  decision  and  ulti¬ 
mately  resigned. 

“These  [outsourcing]  decisions  are  still  going  to  be  made,”  says 
Gartner’s  Anderson.  “But  you  can  at  least  force  the  business  to 
take  a  breath.  When  these  mandates  come  down,  you’ll  at  least 
have  some  initial  argumentation.  Worst-case  scenario,  if  the  deci¬ 
sion  proceeds,  you  have  all  the  data  to  do  a  baseline  comparison 
to  what  the  provider  is  pitching  you.” 

Sometimes  investing  time  and  money  in  a  detailed  examina¬ 
tion  of  sourcing  options  can  bias  executives  toward  signing  a 
deal.  “There’s  a  certain  momentum  to  the  process  and  some  may 
feel  the  obligation  to  follow  through  and  set  up  an  outsourcing 
relationship,”  says  Kaplan  of  ThinkStrategies.  “But  it’s  a  healthy 


“The  ideal  situation  would  be  to 

make  the  sourcing  decision 
process  a  collaborative  one 

involving  relevant  stakeholders.” 

-Dane  Anderson,  research  director  of  IT 
Services  and  Sourcing,  Gartner 


exercise  and  can  be  successful  even  if  you  don’t  end  up  outsourc¬ 
ing  anything.  It’s  best  seen  as  an  opportunity  to  evaluate  internal 
requirements  and  external  opportunities.” 

And  one  that  shouldn’t  be  done  once  and  tossed  in  a  drawer. 
A  good  sourcing  strategy  should  be  revisited  at  least  once  a  year, 
experts  say.  “You  need  to  keep  an  eye  out  on  a  continuous  basis,” 
says  Kaplan.  “Your  own  business  and  the  IT  services  market  is 
changing  so  rapidly.” 

The  continued  effort  will  pay  off  one  way  or  another,  not  only 
preventing  against  bad  outsourcing  decisions  but  also  uncover¬ 
ing  outsourcing  opportunities  you  might  not  have  considered. 
“Even  if  outsourcing  is  not  on  the  table,  start  building  your 
case,”  says  Gartner’s  Anderson.  “Not  to  defend  against  it  neces¬ 
sarily  but  to  be  prepared  to  have  that  discussion  based  on  a 
business  case.”  BID 


Senior  Editor  Stephanie  Overby  can  be  reached  at  soverby@cio.com. 


Be  Prepared 


Marshall  outsourcing  arguments  before  the  "0"  word  is  uttered.  Start 
your  research  with  a  report  from  Nautilus  Advisors,  "HOW  TO  AVOID 
OUTSOURCING  (WHEN  EVERYONE  AROUND  YOU  THINKS  IT'S  A  GOOD 
IDEA)."  Follow  up  by  reading  "SOURCING  STRATEGY:  KNOWING 
WHEN  TO  OUTSOURCE"  from  Source:Renaissance.  Find  both  at  www 
.cio.com/archive/100106/outsourcing.html 

cio.com 


www.cio.com  |  OCTOBER  1,  2006  69 


View  from  the  Top 


70  OCTOBER 


The  health  insurance  industry  is 

one  of  the  more  difficult  economic 
sectors  in  which  to  compete.  Even 
as  health  insurance  premiums  con¬ 
tinue  to  increase  at  double  digit  rates, 
the  stock  prices  of  the  largest  health 
insurers  have  dropped  by  a  third  or 
more  this  year  as  rising  medical  costs 
take  a  bigger  bite  out  of  their  rev¬ 
enue.  Meanwhile  many  insurers  are 
criticized  for  cutting  back  on  cover¬ 
age  and  customer  service,  while  they 
continue  to  spend 


heavily  to  com¬ 
ply  with  federal 
health  informa¬ 
tion  privacy  laws. 


Blue  Cross  and  Blue 
Shield  of  Kansas  City 
CEO  Tom  Bowser 

says  IT  can  reduce  costs 
by  mining  customer 
data  for  ways  to  make 
individuals  healthier. 


Cure  for  the 


health-care  insurer, 
today’s  IT  investments 
are  the  prescription  for 
a  healthy  future 


Blues 

Forthis  mid-market 


You  don’t  face  the  same 
project  and  resource 
management  challenges 
as  everyone  else.  So 
why  use  one-size-fits-all 
software? 


Only  Primavera  has  a  complete  range  of  industry-specific, 
collaborative  project,  resource  and  portfolio  management 
solutions  for  your  unique  business  needs.  We’re  currently 
helping  companies  around  the  world  successfully  manage 
their  projects  and  resources,  even  in  the  most  complex 
regulatory  and  compliance  environments.  We  can  help 
you  do  the  same.  Whatever  your  challenges,  you  can  rely 
on  one  name  for  the  right  solution.  And  that’s  Primavera. 


PRIMAVERA 


View  from  the  Top 


“We’re  not  big  enough  to  make  gambles,  but  we  are  smart 
enough  and  nimble  enough  to  monitor  what’s  going  on 
and  to  adopt  new  technologies  that  work  for  us.” 

-Tom  Bowser,  CEO 


With  an  estimated  $1.6  billion  in  revenue  this  year,  Blue 
Cross  and  Blue  Shield  of  Kansas  City  is  a  relatively  small 
player  in  this  multibillion-dollar  market,  competing  against 
companies  more  than  10  times  bigger  in  a  30-county  area  in 
Northwest  Missouri  and  the  two  most  populated  counties 
in  Kansas  that  make  up  Kansas  City.  Nevertheless,  BCBSKC 
is  the  largest  health  insurer  in  the  region,  providing  cover¬ 
age  for  900,000  people  and  garnering  a  42  percent  market 
share. 

CEO  Tom  Bowser  wants  to  expand  the  company’s  cus¬ 
tomer  base  by  as  much  as  300,000  by  2010,  and  he  believes 
information  technology  will  allow  him  to  do  it.  But  he 

wasn’t  always  a  hard-core  believer 
in  IT.  As  the  company’s  chief  oper¬ 
ating  officer  during  most  of  the 
1990s,  Bowser  saw  IT  project  after 
IT  project  fail. 

Then  company  executives 
decided  to  invest  $50  million  in 
a  legacy  systems  upgrade,  at  the 
same  time  outsourcing  applica¬ 
tions  such  as  data  warehousing 
and  electronic  claims  processing, 
as  well  as  functions  such  as  appli¬ 
cation  development.  Bowser  calls 
the  transition  traumatic  but  worth 
it.  In  his  view,  outsourcing  lowered 
the  risk  of  future  IT  failures. 

Bowser  attributes  much  of  BCBSKC’s  recent  success 
to  this  strategy,  which  leaves  the  200-person  IT  depart¬ 
ment  under  CIO  Kevin  Sparks  to  focus  on  integration 
projects  that  differentiate  BCBSKC  from  its  competitors 
and  improve  customer  service.  As  a  result  of  this  strategy, 
Bowser  says,  between  2000  and  2005,  the  company 

■  served  15  percent  more  customers  with  10  percent 
fewer  employees 

■  decreased  administrative  expenses  from  21  percent 
of  revenue  to  about  13  percent 

■  provided  the  best  customer  service  levels  in  the 

Kansas  City  metropolitan  region,  as  ranked  by  doctors,  hos¬ 
pitals,  brokers,  customers  and  other  constituent  groups 

■  increased  its  customer  service  scores  from  the  bottom 
quartile  to  the  top  quartile  among  all  38  BCBS  groups  nation¬ 
wide,  as  measured  by  criteria  such  as  timeliness  and  accuracy 
when  managing  enrollment,  claims  processing  and  inquiries. 


“These  are  all  very  tangible  and  meaningful  measures  of 
benefits  we’ve  received  from  our  IT  investment,”  Bowser  says. 

BCBSKC’s  IT  department  is  the  brains  behind  a  pilot  pro¬ 
gram  launched  this  year  that  is  designed  to  help  BCBSKC 
customers  reduce  their  health  insurance  premiums— and 
help  BCBSKC  cut  its  costs— through  customized  wellness 
programs. 

Under  the  program,  called  “A  Healthier  You,”  customers 
can  save  $120  per  year  on  their  health  insurance  premiums. 
Individuals  enroll  online  and  provide  their  personal  health 
information,  including  family  medical  history,  data  such  as 
blood  sugar  and  cholesterol  levels,  and  any  health  concerns 
that  may  not  show  up  in  their  medical  records,  such  as 
depression  or  a  nagging  pain. 

Once  a  certain  number  of  individuals  from  a  group  (such 
as  a  company)  are  enrolled  in  the  program,  BCBSKC  aggre¬ 
gates  individuals’  health  information  to  identify  common 
health  problems  within  the  group’s  population.  Individuals 
within  the  group  are  given  information  on  how  to  take  care  of 
the  health  risks  BCBSKC  has  identified  (collectively  improv¬ 
ing  these  problems  means  reduced  group  premiums).  Mean¬ 
while,  BCBSKC  electronically  sends  the  information  to  the 
nurses  and  doctors  who  work  with  the  individuals,  so  they 
can  support  the  insurers’  recommendations. 

CIO  talked  with  Bowser  about  his  evolving  appreciation 
of  IT,  his  relationship  with  Sparks  and  his  philosophy  about 
how  technology  should  support  BCBSKC  now  and  in  the 
future. 

CIO:  How  did  you  become  convinced  that  IT  could 
contribute  strategically? 

Tom  Bowser:  The  epiphany  kind  of  occurred  back  in  1997. 
Our  company  had  problems  well  beyond  our  IT  problems 
and  because  of  delays  and  cost  overruns,  IT  was  looked  on  as 
a  burden  rather  than  a  solution.  The  thing  that  has  changed 
since  then  is  that  we  have  abandoned  the  philosophy  of  “We 
have  to  build  everything  ourselves.”  We  have  become  happy 
to  be  wise  purchasers  of  software  from  other  companies. 

It  was  a  philosophical  hurdle  for  our  IT  shop  and  for  our 
company,  but  it’s  a  hurdle  that  we’re  glad  we  passed.  [Today] 
our  partners  have  financial  incentives  that  are  aligned  with 
developing  software  to  serve  our  [industry’s]  market  needs 
and  demands.  Our  IT  team  can  integrate  and  configure  the 
software  to  meet  our  [regional]  market  demands  and  stay 
focused  on  the  needs  of  our  customer  base. 


Blue  Cross  and 
Blue  Shield  of 
Kansas  City 

Headquarters 

Kansas  City,  Mo. 

Industry 

Health  Insurance 

2006  Revenue 

$1.6  billion  (estimated) 

Employees  1,035 

IT  Executive 

Kevin  Sparks,  CIO 


72  OCTOBER  1,  2006  |  www.cio.com 


The  Brother  Advantage 


+  Branch  Office 


Small  Workgroup  Office  r 


Corporate  0  ice 


^Road-Warrior  Office  *  +  Horrie  Office^/^ 

Take  cost  out  of  your  business  and  increase 


No  matter  where  you  do  business. 


Comprehensive  selection 
>■  Increased  productivity 
>■  Lower  acquisition  costs 
Reduced  consumable  costs 
24171365  support  and  service 
free  evaluation  program 


Mobile  Printing  Solutions 


Labeling  Solutions 


Desktop  Laser  Solutions 


Color  Laser  Solutions 


Network  Printer  Solutions 


Multi-Function  Solutions 


Fax  Solutions 


Brother  Printer,  Fax  and  Multi-Function  Center®  models - 
designed  to  increase  productivity  while  decreasing  overhead. 

Considering  that  over  94%  of  Fortune  1000  company  employees  work 
outside  corporate  headquarters*,  equipping  them  with  a  cost-effective 
solution  is,  to  say  the  least,  a  major  challenge. 

That's  why  Brother's  Commercial  Division  is  committed  to  providing 
superior  and  reliable  imaging  solutions  that  increase  productivity  while 
reducing  costs.  This  enables  businesses  like  yours  to  effectively  address 
critical  organizational  goals  and  challenges. 

But  it  is  our  product  reliability,  coupled  with  a  responsive  nationwide 
support  and  service  network,  that  has  companies  like  yours  putting  Brother 
at  the  top  of  their  requisition  lists. 

Brother's  Commercial  Division  welcomes  the  opportunity  to  put  our 
resources  to  work  for  you.  Contact  us  today  so  we  can  show  you  how  we 
can  positively  impact  your  bottom  line  while  enhancing  your  performance. 

For  more  information,  call  1-866-455-7713. 

*Purchase  Influence  in  Larger  American  Businesses  ( Erdos  &  Morgan,  2001). 


©  2006  Brother  International  Corporation,  Bridgewater,  NJ  •  Brother  Industries  Ltd.,  Nagoya,  Japan 

For  more  information  visit  our  Web  site  at  www.brother.com 


View  from  the  Top 


“We  think  there’s  pay  dirt  in  working  with  employers  to 
create  incentives  for  people  to  become  more  responsible 
for  their  own  health.  The  role  of  IT  is  infinite  [for]  being 
able  to  measure  reduction  in  smoking,  obesity  levels;  all 

of  that  comes  through  our  data  warehouse  •  -Tom  Bowser 


We’re  not  big  enough  to  make  gambles,  but  we  are  smart 
enough  and  nimble  enough  to  monitor  what’s  going  on  and 
to  adopt  new  technologies  that  work  for  us.  We’re  proud  of 
our  track  record  for  a  company  our  size. 

Last  year  Deloitte  &  Touche  found  that  25  percent  of  com¬ 
panies  surveyed  that  had  outsourced  IT  functions  planned 
to  bring  those  functions  back  in-house.  Why  do  you  view 
outsourcing  so  positively? 

We  think  we  have  more  control  over  our  day-to-day  destiny 
with  those  partnerships  than  we  had  with  the  do-it-yourself 
mentality.  We  collaborate  with  other  Blues  plans  as  well 
as  our  vendors  to  shape  development  requirements  for  the 
software  they  develop. 

“Partnerships”  connotes  a  strong  business  tie.  Can  you 
describe  your  relationships  with  your  vendors? 

One  is  with  the  TriZetto  Group,  which  has  built  our  data 
warehouse.  That  [system]  helps  us  retain  existing  groups 
and  attract  new  ones.  It  also  helps  us  set  rates  in  the  most 
practical  way  possible  as  we  can  take  a  longer  view  of 
trends  across  our  business  rather  than  in  a  [single]  group. 

Our  company  recently  chaired  an  organization  of  Blue 
Cross  Blue  Shield  plans  called  the  Blues  Strategy  Group  on 
TriZetto,  or  “BSGT.”  This  group  connects  via  conference 
calls  once  a  month  and  meets  face-to-face  with  TriZetto 
twice  a  year.  The  purpose  of  the  group  is  strategic  collabo¬ 
ration  among  the  14  Blues  plans  that  utilize  the  TriZetto 
software.  The  group  discusses  items  with  respect  to  emerg¬ 
ing  market  demands,  software  quality  and  design,  and  Blue 
specific  needs. 

In  a  second  collaboration,  we  have  [deployed]  an  electronic 
enrollment  module,  and  we  are  now  introducing  an  elec¬ 
tronic  billing  module.  Both  of  these  things  reduce  cost  for  us 
as  well  as  our  customers  but  also  represent  substantial  reten¬ 
tion.  Once  we  have  our  customers  wired  to  us,  we  think  it’s 
less  likely  that  they  will  leave  us. 


Know  What  the  Boss  Wants 


How  does  your  CIO,  Kevin  Sparks, 
support  your  business  strategy? 

We  have  a  very  positive,  very  col¬ 
laborative,  very  high  energy  kind  of 
relationship.  Kevin  has  that  unique 


To  learn  more  about  WHAT  CEOS  THINK 
ABOUT  I.T.,  read  the  rest  of  the  View  from 
the  Top  series  online  at  www.cio.com/ 
specialreports/viewfromthetop.html. 

cio.com 


ability,  which  CEOs  like,  to  talk  about  technology  in  very 
understandable  terms,  and  in  terms  that  help  us  know  very 
quickly  what  the  capital  investment  in  IT  will  do  in  terms  of 
reducing  expense,  growing  service  or  enhancing  [our]  prod¬ 
ucts.  We  have,  like  most  companies  our  size,  an  investment 
information  technology  committee.  Kevin  is  the  technical 
chair  of  that  and  helps  decide  who  gets  what  piece  of  the 
technology  investment  pie. 

In  the  next  10  years,  you  plan  to  employ  more  data  mining, 
as  you  have  begun  to  test  with  the  wellness  program.  What 
other  roles  does  IT  play  in  BCBSKC’s  future? 

Statistics  show  that  50  percent  of  health  care  costs  are 
affected  by  lifestyle  choices.  Do  people  buckle  up?  Do  they 
exercise?  Do  they  eat  right?  Do  they  drink  too  much?  We 
think  there’s  pay  dirt  in  working  with  employers  to  create 
incentives  for  people  to  become  more  responsible  for  their 
own  health.  As  time  progresses,  there  may  be  other  payroll 
deduction  techniques  or  other  financial  incentives  to  get 
people  to  do  what  they  know  is  instinctively  right  [using]  a 
monthly  reminder  in  their  paycheck. 

The  role  of  IT  in  this  is  infinite.  Being  able  to  measure 
progress  in  a  group  across  one  of  these  disease  problem 
areas  like  reduction  in  smoking,  reduction  in  obesity  levels; 
all  of  that  comes  through  our  data  warehouse  and  through 
collaboration  with  our  [customers].  It  also  enhances  the 
reputation  we  have  as  a  local  service,  hometown  commu¬ 
nity  partner,  which  our  competitors  can’t  match  and  which 
has  IT  at  its  foundation. 

As  a  local,  not-for-profit  business,  we  do  not  answer  to 
shareholders  far  removed  from  our  customers.  We  have 
much  more  flexibility  in  serving  our  customers  and  deter¬ 
mining  our  destiny  because  we  don’t  answer  to  a  larger 
corporate  entity  and  we  are  not  regionalizing  or  national¬ 
izing  our  service  standards.  IT  focuses  on  what  our  custom¬ 
ers  want  or  need  in  the  greater  Kansas  City  metropolitan 

area.  This  helps  us  differentiate  our 
service  and  maintain  our  position  as 
the  leading  health  insurer  in  Kansas 
City.  QQ 


Washington  Bureau  Chief  Allan  Holmes  can 
be  reached  at  ahotmes@cio.com. 


74  OCTOBER  1,  2006  |  www.cio.com 


End-to-end  enterprise  reliability. 

Fujitsu  PRIMEQUEST™  Servers.  Proven  reliability  to  span  your  enterprise  needs 


•  ..*1 

flWIQW” 

Fujitsu  PRIMEQUEST  servers  reflect  our  vast  mainframe  experience  as  well  as  our  deep  commitment  to  reliability. 
With  up  to  32  Intel®  Itanium®  2  Processors  each,  these  powerful,  enterprise-class  servers  bridge  the  gap  between 
the  Microsoft®  Windows®  and  Linux®  applications  you  depend  on  and  the  mainframe-class  scalability,  performance, 
and  reliability  you  need.  Go  to  us.fujitsu.com/computers/reliability2  for  more  information. 


SYSTEM  MIRROR  fault-immunity  transparently 
guards  against  hardware  errors 


Fujrrsu 


LOWER  TOO  with  integrated  facilities 
that  simplify  administrative  tasks 


THE  POSSIBILITIES  ARE  INFINITE 


Itanium  2 

inside 


'  ©  2006  Fujitsu  Computer  Systems  Corporation.  AH  rights  reserved.  Fujitsu,  the  Futitsu  logo  and  PFtIMEQUEST  are  tradema'ks  or  registered  trademarks  01  Fujitsu  Limited  in  the  United  States  and  other  countries  mtei.  Intel  Logo,  Intel  Inside.  Intel 

Inside  Logo,  Itanium,  and  Itanium  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Microsoft  and  Windows  are  registered  trademarks  or  trademarks  o!  Microsoft  Corp 
in  the  United  States  and/or  other  countries.  Linux  is  the  registered  trademark  of  Unus  Torvalds  in  the  U.S.  and  other  countries.  All  other  trademarks  mentioned  herein  are  me  property  of  then  respective  owners. 


The 


Network  Strategy 


The  Internet’s  new  communication  technology,  IPv6, 
is  coming— whether  CIOs  are  ready  or  not.  But  being  ready 
could  save  you  mill  ions  and  reduce  security  risks. 


In  June  2003 John  Stenbit,  then  CIO  of  the  Department  of 
Defense,  announced  that  the  DoD  would  move  to  Inter¬ 
net  Protocol  version  6  (IPv6),  a  next-generation  Internet 
communication  technology,  by  2008. 


The  only  trouble  was,  hardly 
anyone  in  the  government— or 
anywhere  else— knew  what  he 
was  talking  about. 

IPv6  is  the  international  stan¬ 
dard  chosen  by  the  Internet  Engi¬ 
neering  Task  Force  to  replace  the 
current  protocol,  IPv4  (version 
5  never  made  it  out  of  the  gate). 
It  is  more  secure  and  can  extend 


Internet  connectivity  to  a  nearly 
infinite  number  of  devices,  while 
at  the  same  time  reducing  network 
management  costs  by  as  much  as 
a  third. 

Stenbit’s  announcement  was 
designed  to  give  an  IPv6  ecosys¬ 
tem  a  chance  to  develop  gradually 
within  the  DoD.  “Moving  to  IPv6 
takes  a  long  time,”  says  Stenbit, 


who  retired  from  the  DoD  in  2004. 
“Within  the  DoD  procurement  sys¬ 
tem,  big  bucks  are  bet  on  [systems] 
that  come  out  five  years  later.  If  the 
people  who  are  working  on  those 
systems  don’t  know  what  IP  ver¬ 
sion  we  will  be  using  [in  the  future] 
then  they  will  just  build  them  with 
today’s  protocol  and  we  will  lose 
the  ability  to  move  forward.” 


76  OCTOBER  1,  2006  |  www.cio.com 


ILLUSTRATIONS  BY  JEAN-FRANCOIS  MARTIN 


:ader  ROI 

Why  IPv6  wil 
a  critical  part 
network  strat 

How  planning 
can  save  you 
down  the  roa 

What  steps  y< 
to  take  today 
IPv6  ready 


Network  Strategy 


Training 
Your  IPv6 

Champions 

According  to  the  federal  CIO  Council’s  IPv6  transition  guide  (find  a  link  to  the  full 
report  at  www.cio.com/100106),  there  are  four  kinds  of  training  that  a  company’s 
IPv6  champion  needs: 

Business— IPv6  workshops  and  conferences  provide  participants  with  general 
information  on  the  technology,  identify  vendors  that  support  IPv6,  help  them 
understand  the  business  drivers  behind  the  transition  and  introduce  them  to 
services  or  products  enabled  by  IPv6. 

Architecture— This  covers  everything  from  auto-configuration  to  routing, 
multicasting  and  principles  for  connecting  to  the  IPv6  Internet.  This  area  will  have 
the  greatest  impact  on  the  development  of  successful  IPv6  integration  plans. 

Operations— Companies  need  to  train  their  staffs  on  how  to  support  the  IPv6 
environment.  The  bulk  of  operational  training  should  focus  on  supporting  IPv6 
applications  (for  example,  IPv6-enabled  e-mail  and  Web  servers).  Operational 
training  will  often  be  hardware-  or  software-specific,  generally  produced  by,  or  for, 
a  particular  vendor’s  product. 

Technology— Extra  specialized  training  will  be  needed  to  address  other  techno¬ 
logical  topics  in  which  IPv6  plays  an  important  role,  such  as  mobility  and  security. 

-B.W. 


To  date,  however,  few  U.S.  companies 
have  followed  in  the  DoD’s  footsteps.  Nor, 
for  that  matter,  have  the  past  three  years 
brought  an  increase  in  IPv6  awareness.  A 
recent  CIO  Executive  Council  poll  on  IPv6 
adoption  had  only  two  responses,  and  nei¬ 
ther  of  those  CIOs  was  using  IPv6.  In  a 
sense,  that  is  understandable;  the  current 
version  of  the  Internet  works  just  fine,  and 
to  date  there  hasn’t  been  a  lot  of  pressure 
to  move. 

But  that’s  about  to  change. 

Last-Mover 

Disadvantage 

Outside  the  United  States,  the  transition 
to  IPv6  is  well  under  way.  China,  Japan 
and  Korea  have  all  made  moving  to  IPv6 
a  national  priority,  as  has  the  European 
Union.  China,  in  particular,  is  building 
a  new  Internet  based  entirely  on  IPv6 
that  it  hopes  will  allow  it  to  become  the 
world’s  leader  in  all  things  Internet  (see 
“China  Builds  a  Better  Internet,”  www.cio 
.com/071506). 

In  the  United  States,  many  of  the  hur¬ 
dles  that  have  stood  in  the  way  of  IPv6 
adoption  are  about  to  disappear,  thanks 
in  large  part  to  the  DoD’s  move  and  a  sub¬ 
sequent  rule  requiring  federal  agencies  to 
transition  their  networks  to  IPv6  by  2008. 
Advances  in  hardware,  software  and  tele¬ 
communications  have  guaranteed  that  the 
transition  will  happen  in  the  United  States 
as  well— with  or  without  the  cooperation 
of  CIOs. 

For  example,  many  network  equipment 
makers,  led  by  Cisco  and  Juniper,  have 
been  selling  routers  and  switches  that 
are  IPv6  compatible  for  several  years.  On 
the  software  front,  Microsoft’s  upcoming 
Vista  operating  system  will  have  IPv6  as 
its  default  protocol,  and  Windows  Vista 
has  several  collaborative  features  that 
work  with  IPv6.  Finally,  the  major  telecom 
companies  are  quietly  upgrading  their 
networks  to  carry  IPv6  traffic— keeping 
themselves  in  the  running  (they  hope)  for  a 
General  Services  Administration  telecom¬ 
munications  contract  valued  at  $20  billion 
over  the  next  10  years  that  requires  carri¬ 
ers  to  have  IPv6-capable  networks. 


Not  If  But  When 

“The  religious  war  of  should  we  or 
shouldn’t  we  move  to  IPv6  is  over,”  says 
Tom  Patterson,  CEO  of  the  IPv6  consul¬ 
tancy  Command  Information.  “It  is  a  mat¬ 
ter  of  when.”  But  CIOs  can’t  afford  to  just  sit 
back  and  wait  for  the  new  Internet  to  come 
swoop  them  up.  They  need  to  actively  plan 
upgrades  of  everything  on  their  network  to 
IPv6-capable  versions  if  they  wish  to  avoid 
the  complexity,  security  risks  and  extra  cost 
of  maintaining  two  protocols  over  the  long 
haul.  Every  router,  laptop,  application  and 
anything  else  connected  to  the  Internet  will 
continue  to  work  side-by-side  with  the  old, 
but  in  a  much  more  efficient  manner.  The 
critical  question  is  whether  to  work  the  tran¬ 
sition  into  your  normal  technology  refresh 
cycle,  or  wait  and  absorb  a  massive  one-time 
hit  when  competitive  pressure  forces  you  to 
move  to  IPv6. 

The  good  news  is  that  there  is  no  Y2K- 
like  deadline,  which  means  CIOs  have  time 


to  develop  a  plan  and  invest  at  a  gradual 
pace  to  avoid  the  extra  costs  and  risks  of  a 
sudden  switchover.  “If  you  don’t  prepare 
correctly  you  will  create  headaches  that 
you  don’t  need  to  have,"  says  Yanick  Pouf- 
fary,  a  technology  director  of  the  North 
American  IPv6  Task  Force  and  fellow  with 
the  IPv6  Forum. 

Good  planning  starts  with  viewing  IPv6 
as  more  than  a  tactical  issue.  “Don’t  just 
look  at  this  as  a  hardware  refresh,”  says 
John  McManus,  acting  CIO  of  NASA  and 
the  cochairman  of  the  federal  CIO  Coun¬ 
cil’s  IPv6  Working  Group.  Upgrading  to 
IPv6,  he  says,  will  help  you  reduce  net¬ 
work  costs  and  complexity,  and  facilitate 
new  services  that  are  limited  only  by  your 
imagination.  And  while  McManus  says 
that  “there  are  100,000  things  that  can  go 
wrong  if  you  don’t  do  this  right,”  actually 
doing  it  right  is  surprisingly  simple.  And 
if  you  start  now,  it  doesn’t  have  to  be  pro¬ 
hibitively  expensive.  What  follows  is  a  six- 


78  OCTOBER  1,  2006  |  www.cio.com 


CERN  &  ProCurve  Networking 


And  a  network  that  can  handle  it 


“CERN  uses  ProCurve  Switches  because  . 
we  generate  a  colossal  amount  of  data, 
making  dependability  a  top  priority.” 

— David  Foster,  Communication  Systems  Group  Leader,  CERN 


CERN  has  joined  with  ProCurve  to  build  their  network  based 
on  high-performance  security,  reliability  and  flexibility, 
along  with  a  lifetime  warranty.*  From  the  world’s  largest 
applications,  to  a  company-wide  email,  just  think  what 
ProCurve  could  do  for  your  network, 

Get  a  closer  look  at  CERN  and  the 
world’s  biggest  physics  experiment. 

Visit  www.hp.com/go/procurveCERN2. 

For  more  information,  call  (800)  975-7684,  Ref.  Code  CERN2. 


'For  as  long  as  you  own  the  product,  with  next  business-day  advance  replacement 
(available  in  most  countries)..  For  details,  refer  to  the  ProCurve  Software  License. 
Warranty  and  Support  booklet  at  http;//www.hp.com/rnd/support/warranty/index.htm. 
The  ProCurve  Routing  Switch  9300m  series,  ProCurve  Routing  Switch  9408sl.  ProCurve 
Switch  SlOOfl  series,  and  the  ProCurve  Access  Control  Server  745wl  have  a  one-year 
warranty  with  extensions  available. 

©  2006  Hewlett-Packard  Development  Company,  L.P  Photo  ©  CERN. 


ProCurve  Networking 


HP  Innovation 


Part  of  the  12,000  ton  CMS  particle  detector 
at  CERN,  Geneva,  Switzerland. 


Network  Strategy 


step  guide  to  help  CIOs  upgrade  to  IPv6 
with  the  minimal  possible  expense  and  the 
greatest  possible  benefit. 

[STEP  ONE] 

Don't  Miss  the  IPv6  Boat 

The  Internet  protocol  is  the  Internet’s  ver¬ 
sion  of  a  postal  envelope,  containing  infor¬ 
mation  such  as  the  destination  and  return 
addresses,  and  details  about  a  package’s 
contents.  The  current  standard,  IPv4,  was 
developed  in  1976,  back  when  the  Internet 
was  inhabited  by  a  small  group  of  govern¬ 
ment  researchers  and  academics  and  the 
prospect  of  using  up  the  protocol’s  total 
of  4.3  billion  addresses  seemed  wildly 
improbable.  IPv4  also  didn’t  have  any 
security  or  mobility  features. 

IPv6  was  intended  to  fix  these  shortcom¬ 
ings.  It  uses  a  larger-capacity  addressing 
scheme  allowing  a  nearly  infinite  number  of 
devices  to  have  their  own  addresses.  It  also 
has  built-in  security  and  the  ability  to  auto¬ 
matically  configure  itself  onto  a  network, 
easing  mobility  and  general  network  man¬ 
agement.  As  such,  it  could  enable  anything 
from  sensor  networks  that  detect  meteoro¬ 
logical  events  to  refrigerators  that  e-mail 
grocery  lists  to  their  owners’  cell  phones. 

That’s  the  short  version.  In  reality  it  is 
impossible  to  learn  everything  you  need 
to  know  about  IPv6  from  a  single  article. 
CIOs  need  to  find  out  if  there  is  anyone 
on  their  staff  who  knows  anything  about 
IPv6.  If  you’re  lucky  there  might  be.  But 
don’t  count  on  it.  That  means  appointing 
an  IPv6  champion  who  will  be  accountable, 
says  Lisa  Schlosser,  CIO  of  the  Department 
of  Housing  and  Urban  Development.  “This 
person  should  have  an  executive  sponsor 
and  report  to  the  CIO.” 


[STEP 


2 


TWO] 


Develop  a  Business  Case 

Every  company  in  every  industry  should 
be  able  to  think  of  some  way  that  IPv6  can 
help  its  business.  At  the  DoD,  for  example, 


Stenbit  wanted  to  build  a  global  informa¬ 
tion  grid— a  virtual  map  of  communica¬ 
tions,  processing  and  storage  from  which 
users  can  pull  the  data  they  need  to  do 
their  job,  a  vision  that  continues  after  his 
retirement.  Most  CIOs  will  find  solutions 
to  more  ordinary  challenges.  At  HUD,  for 
example,  housing  inspections  after  disas¬ 
ters  like  Hurricane  Katrina  could  be  done 
more  easily  (with  more  IP  addresses  avail¬ 
able)  by  inspectors  carrying  mobile  devices 
instead  of  typing  field  reports  into  comput¬ 
ers  back  at  the  office.  “More  addresses  will 
let  us  extend  our  network,”  says  Schlosser. 
When  you  increase  your  addresses  you  can 
collect  this  information  in  real-time.” 

For  a  construction  company  like  Bechtel, 
IPv6  unleashes  any  number  of  possibili¬ 
ties  that  could  come  from  combining  IT 
systems  with  other  systems  like  security 
cameras  and  air-conditioning  units.  For 


example,  sensor  networks  made  of  small, 
wireless,  IP-enabled  devices  can  add  new 
capabilities  to  the  current  facility  manage¬ 
ment  systems.  If  Bechtel  builds  a  factory  in 
a  hot  climate  that  will  be  open  only  12  hours 
a  day,  the  sensors  can  collect  real-time  cli¬ 
mate  and  temperature  information  that  can 
be  combined  with  real-time  electricity  price 
information  to  help  the  company  decide 
when  it  is  most  cost-effective  to  turn  on  the 
air-conditioning. 

IPv6  can  also  reduce  the  cost  and  com¬ 
plexity  of  managing  IT.  In  an  IPv6  eco¬ 
nomic  assessment  released  earlier  this  year, 
the  National  Institute  of  Standards  and 
Technology  (NIST)  estimated  that  the  new 
protocol  would  facilitate  a  move  to  voice 
over  IP,  which  could  result  in  a  20  percent 
decrease  in  communications  spending  for 
the  average  company.  Furthermore,  NIST 
estimated  that  IPv6  would  save  IT  depart  - 


80  OCTOBER  1,  2006  [  www.cio.com 


Remember  when  technology 
had  the  ability  to  amaze  you? 


Believe  again. 

Now  you  can  believe  in  a  new  kind  of  IT  management.  Unified  and  simplified  to  make  your 
business  more  productive,  nimble,  competitive  and  secure. 

We  all  know  that  companies  are  demanding  more  from  IT  —  expecting  IT  to  be  a  strategic 
and  competitive  advantage.  Yet  today's  complex  IT  environments  require  you  to  manage 
across  point  solutions,  siloed  organizations  and  redundant  technology. 

A  better  alternative?  Choose  an  integrated  approach  to  IT  management.  An  approach  in 
which  software  unifies  your  people,  processes  and  technology  to  increase  efficiency  and 
optimization.  Only  one  global  software  company  can  do  that.  CA,  formerly  known  as 
Computer  Associates,  has  focused  solely  on  IT  management  software  for  over  30  years. 

Our  technology  vision  that  makes  this  promise  real  is  called  Enterprise  IT  Management, 
or  EITM.  At  its  heart  is  the  CA  Integration  Platform  —  a  common  foundation  of  shared 
services  that  gives  you  real-time,  dynamic  control  and  flexibility.  Its  greatest  benefit? 

CA  software  solutions  come  to  you  already  integrated,  and  able  to  integrate  with  your 
existing  technology  to  optimize  your  entire  IT  environment. 

Ultimately,  a  well-managed  IT  environment  gives  you  the  visibility  and  control  you  need 
to  manage  risk,  manage  costs,  improve  service  and  align  IT  investments.  To  learn  more 
about  how  CA  and  our  wide  array  of  partners  can  help  you  unify  and  simplify  your  IT 
management,  visit  ca.com/unify. 


TV 


Copyright  ©  2006  CA.  All  rights  reserved. 


Transforming 
IT  Management 


Network  Strategy 


ments  about  30  percent  of  their  overall  IT 
spend  by  eliminating  the  need  for  network 
address  translation  devices  and  associated 
practices  that  companies  use  to  allow  IPv4 
to  extend  Internet  access  to  the  devices  on 
their  internal  networks.  IPv6  also  allows 
for  end-to-end  security  (more  on  this  in 
Step  6),  which  would  allow  companies 
to  phase  out  perimeter  security  tools  like 
firewalls.  IPv6  will  also  save  CIOs  and 
their  staffs  time,  since  it  has  the  ability  to 
auto-configure  itself,  which  essentially 
makes  an  IPv6-capable  device— a  desktop, 
a  security  camera  or  an  IP  telephone— plug 
and  play  regardless  of  geography,  with 
obvious  advantages  for  the  military  and 
companies  like  Bechtel,  cutting  the  time 
it  takes  to  set  up  an  on-location  network. 
Today,  Bechtel  engineers  have  to  re-ter- 
minate  the  voice  and  data  network  every 
time  someone  moves  a  trailer,  says  Fred 
Wettling,  a  fellow  in  Bechtel’s  technology 
group.  That  goes  away  with  IPv6.  Within  a 
corporation,  IPv6  can  facilitate  better  col¬ 
laboration.  Each  IPv6  computer  is  able  to 
act  as  its  own  server,  meaning  that  users 
can  connect  to  one  another  directly.  One 
application  that  already  takes  advantage 
of  this  is  Windows  Vista,  which  allows 
IPv6  users  to  work  inside  the  same  Word 
document,  spreadsheet  or  PowerPoint  pre¬ 
sentation  regardless  of  physical  proximity 
and  without  going  through  a  Web  host. 


[STEP 


THREE] 


Inventory  Your  Network 

The  next  step  is  to  find  out  what  exactly 
is  on  your  network  and  determine  what  is 
already  IPv6  compliant  or  can  be  upgraded 
to  the  protocol.  These  devices  aren’t  lim¬ 
ited  to  routers  and  switches  but  include 
security  tools  like  firewalls,  laptops,  even 
printers.  “Organizations  deploy  hundreds 
of  printers  and  thousands  of  desktops  but 
don’t  maintain  a  strong  accounting  of 
them,”  says  Vic  Berger,  lead  technologist 
for  the  government  practice  at  the  consul¬ 
tancy  CDW. 

McManus,  NASA’s  acting  CIO,  says  he 
broke  it  into  two  separate  tasks,  first  tak¬ 


“We  have  our  plan  down  to  the  single 
piece  of  equipment  level.  We  know  all  the 
way  out  to  2010  what  we  are  upgrading.” 

-Lisa  Schlosser,  CIO  of  the  Department  of  Housing  and  Urban  Development 


ing  inventory  of  devices  that  communi¬ 
cate  with  the  outside  world,  like  routers 
and  firewalls,  and  doing  the  internal-fac¬ 
ing  devices  on  LANs  such  as  laptops  later. 
This  makes  the  task  more  manageable. 
Also,  he  says,  it  helps  to  use  network  dis¬ 
covery  tools  as  much  as  possible. 

As  you  identify  each  device,  you  need 
to  determine  whether  it  is  IPv6  ready,  if 
it  can  be  upgraded  to  IPv6  or  if  it  needs 
to  be  replaced.  “There  is  no  IPv6  seal  of 
approval,”  says  Patterson,  so  you  may 
end  up  reading  manuals,  calling  vendors 
or  checking  websites  to  find  out.  McMa¬ 
nus  stresses  that  a  full  inventory  is  not  an 
overnight  project.  “Even  with  automation 
it  took  us  three  months.”  And  that  was  just 
the  external  network. 

It’s  also  important  to  get  your  vendors’ 
IPv6  transition  plans.  “You  can’t  build 
your  transition  plan  without  knowing 
your  partners’  plans,”  says  McManus. 
Those  plans  may  not  be  well  formed  yet, 
warns  Wettling.  “We  are  sharing  our  expe¬ 
riences  with  our  partners,”  he  says.  “We 
are  working  with  them  hand  and  glove. 
We  learned  from  what  they  have  done,  and 
they  learn  from  what  we  are  doing.”  If  the 
vendor  isn’t  willing  to  work  with  you  on  a 
transition  plan,  find  a  new  vendor. 


[STEP 


FOUR] 


Rethink  Legacy  Systems 
and  Practices 

You  can’t  always  expect  outside  help  in 
making  the  transition  to  IPv6,  however. 
You  will  need  to  come  up  with  your  own 
plan  to  transition  older  technologies,  such 


as  mainframes  that  are  no  longer  sup¬ 
ported,  and  to  upgrade  software  developed 
in-house. 

CIOs  at  companies  that  do  a  lot  of  in- 
house  development  will  need  to  ensure 
that  every  developer  builds  with  IPv6 
in  mind.  For  example,  Microsoft  has  a 
development  utility  that  lets  program¬ 
mers  check  an  application’s  source  code 
for  places  that  currently  have  IPv4  com¬ 
mands.  At  Bechtel,  Wettling  has  identi¬ 
fied  what  he  calls  gateway  points  during 
development— places  in  the  cycle  where  a 
programmer  hands  off  his  source  code  to 
a  quality  assurance  person,  for  example. 
Each  of  these  people  is  now  responsible  for 
making  sure  that  the  application  is  IPv6 
capable  before  it  moves  to  the  next  stage 
of  production. 


[STEP 


FIVE] 


Make  IPv6  Part  of  the 
Refresh  Cycle 

There’s  no  telling  just  how  expensive 
upgrading  to  IPv6  will  be.  NIST  estimated 
that  a  midsize  company  with  eight  routers 
and  ISO  switches  and  four  firewalls  would 
spend  just  under  $2  million  to  upgrade  its 
network.  But  that  doesn’t  include  laptops, 
printers  and  software  charges.  A  Govern¬ 
ment  Accountability  Office  audit  released 
at  the  end  of  June  found  that  government 
agencies  anticipated  spending  just  under 
$1  million  to  more  than  $20  million  on 
their  upgrades. 

That’s  a  hit.  But  much  of  the  cost  can  be 
absorbed  as  part  of  the  normal  technology 
refresh  cycle,  says  David  Powner,  director 


82  OCTOBER  1,  2006  |  www.cio.com 


of  IT  management  issues  for  the  GAO. 
(Provided  CIOs  come  up  with  a  master 
inventory  list  and  corresponding  plan.) 
Buying  the  right  products  at  the  right  time 
minimizes  the  extra  costs  associated  with 
moving  to  IPv6.  “We  have  our  plan  down 
to  the  single  piece  of  equipment  level.  We 
know  all  the  way  out  to  2010  what  we  are 
upgrading  and  when,”  says  Schlosser. 

Network  managers  will  have  to  be 
trained  on  how  to  use  the  new  technology, 
and  CIOs  will  have  to  establish  labs  to  test 
the  new  capabilities  and  see  firsthand  how 
IPv6  works.  Bechtel  has  four  such  labs 
running  over  200  IPv6  machines  today.  It 
gives  the  company  a  chance  to  understand 
how  the  IPv6  environment  operates  before 
exposing  anything  to  the  outside. 


[STEP  SIX] 

Assess  Your  Security 
Posture 

IPv6  shifts  the  traditional  security  para¬ 
digm  for  IT  from  protecting  the  perimeter 
with  firewalls  and  intrusion  detection  to 
protecting  individual  devices  and  appli¬ 
cations  directly.  Eventually  this  will  make 
security  much  easier,  since  CIOs  will  be 
able  to  limit  access  to  their  company’s  data 
to  approved  devices  as  well  as  approved 
users. 

But  in  the  short  term  it  also  presents  a 
challenge. 

Most  current  network  monitoring  sys¬ 
tems  can’t  detect  IPv6  traffic.  And  given 
that  network  equipment  makers  have 
been  selling  IPv6-capable  equipment 
for  years,  most  companies  are  probably 


running  some  IPv6  that  they  don’t  know 
about.  That  means  that  a  hacker  with 
an  IPv6  connection  could  get  on  your 
network  and  theoretically  move  around 
undetected.  The  best  defense  is  to  turn  off 
the  IPv6  capability  in  your  products  until 
you  are  ready  to  offer  or  consume  IPv6 
services.  Schlosser  says  part  of  her  job  is 
to  monitor  HUD’s  network  to  make  sure 
that  no  one  is  turning  on  IPv6  too  early. 

Flip  the  Switch 
Carefully 

Just  when  exactly  CIOs  should  turn  on 
IPv6  functionality  depends  on  both  the 
company  and  the  marketplace.  (Bechtel 
anticipates  running  IPv6  before  the 
2008  government  deadline.)  But  that 
doesn’t  mean  you  can  afford  to  wait  before 
starting  to  upgrade.  “Companies  need  to 
understand  that  this  is  coming,”  says 
Wettling.  “It  is  inevitable.” 

Right  now,  says  Wettling,  education 
and  awareness  is  the  single  biggest  chal¬ 
lenge.  “It  is  easy  to  buy  these  products 
now  for  no  additional  cost,”  he  says.  “It  is 
beyond  me  why  you  would  buy  products 
that  don’t  have  IPv6.”  BID 


Senior  Writer  Ben  Worthen  can  be  reached  at 
bworthen@cio.com. 


IPv6  Rules 


For  more  on  IPv6,  read  "CHINA  BUILDS 
A  BETTER  INTERNET"  at  www.cio 
.com/071506.  To  visit  the  National  Tele¬ 
communications  and  Information  Admin¬ 
istration’s  IPv6  homepage,  find  the  link  at 
www.cio.  com/100106. 

cio.com 


Now  it's  possible 
to  manage  your 
most  critical 
IT  needs. 


Today  you  can  believe  in  an  easier  way 
to  manage  IT  that  delivers  greater 
business  value.  With  CA  software 
and  expertise,  you  can  unify  and 
simplify  your  existing  IT  environment 
to  get  more  from  your  resources.  It's 
an  integrated  approach  to  IT 
management  that  will  help  you  better: 

•  Manage  risk.  Identify,  measure, 
manage  and  reduce  your  risk, 
enterprise-wide. 

•  Manage  costs.  Automate  and 
optimize  processes;  make  the  most 
efficient  and  strategic  use  of  your 
IT  resources. 

•  Improve  service.  Create  a  more 
flexible,  service-driven  IT. 

•  Align  IT  investments.  Prioritize  your 
IT  investments  and  measure  the 
benefits  delivered  to  your  business. 

Learn  more  about  CA  solutions  that 
make  it  all  possible  at  ca.com/unify. 


TM 


Copyright  ©  2006 
CA.  All  rights  reserved. 


Transforming 
IT  Management 


I  /  The  Year  Ahead 

Beyond  Technology:  The  Forces  Driving 
Change  and  Growth 

November  5-7,  2006  1 

Wild  Horse  Pass  Resort  &  Spa 
Phoenix,  AZ 


Attend  CIO  magazine’s  fourth  annual  The  Year  Ahead 
conference  and  you’ll  walk  away  with  the  actionable 
ideas  you  need  to  plan.  Understand  the  forces  driving 
business  and  technology,  so  that  you’ll  be  in  a  better 
position  to  help  prepare  your  organization  for  growth. 


Forward-looking  CIOs  and  senior  IT  executives  attend  CIO|07  in  order  to: 

►  evaluate  best  business  and  technology  practices 

►  understand  key  social,  economic  and  political  trends 

►  prepare  for  more  effective  CEO  &  business  partner  collaboration 

Sunday,  November  5,  2006 

CIO  Golf  Tournament 
8:00  AM-  1:30  PM 

Everyone  is  invited  to  join,  so  come  on  out,  have  a  good  time  and  network 
with  some  new  friends.  Undenvritten  by  Cingular  Wireless. 

CIO  Executive  Council 
Open  House  3:30  PM  -  5:00  PM 
Join  the  CIO  Executive  Council  staff  to  expand  your  network  of  CIO  peers  and  learn  about  the  current  initiatives, 
including  demos  of  the  IT  Value  Matrix  &  Knowledge  Center  and  Strategic  CIO  Benchmark. 

Welcome  Reception 
6:00  PM  -  7:00  PM 

Enjoy  light  refreshments  and  cocktails  while  you  get  to  know  your  CIO  peers.  Find  out  who’s  “on  their  game” 
with  the  announcement  of  the  CIO  Golf  Tournament  awards. 

Throughout  CIO|07  The  Year  Ahead 

Join  Conversations  &  Make  Connections 

CIO  magazine  and  the  event  staff  will  be  happy  to  help  you  connect  with  the  people  you  most  want  to  meet  during 
any  networking  session. 


Underwriter  Official  Hosts  Corporate  Sponsors 

X  cingular  <bmcsoftware  1  R  I  S  e*  4}  red  hat.  :::  BlackBerry  ,9k  Symantec.  0  consentry  /jnteD 

raising  U  ie  Dan.«  visualize,  innovate  deliver-  r 


►  Key  Topic  Highlights 


By  attending  these  thought  provoking  sessions  over  CIO’s 
two-day  conference,  senior  IT  executives  will  be  able  to: 

►  discover  how  to  stay  ahead  of  the  trends 

►  learn  how  to  respond  decisively  to  each  major  challenge 

►  interact  with  the  best  strategic  thinkers  in  the  business 

Monday,  November  6,  2006 

8:15  AM -9:15  AM 

KEYNOTE:  Polishing  the  Crystal  Ball:  Predictions  for  the 
Economy 

9:15  AM  -  10:00  AM 

How  the  Next  Generation  Views  and  Uses  Technology 
11:55  AM  -  12:40  PM 

Confronting  Global  Demographics:  Prospering  Despite  a 
Workforce  Shortage 

2:15  PM -3:00  PM 

Working  Better  Together:  The  CEO-CIO  Partnership 
3:00  PM  -  4:00  PM 

Scenario  Planning  For  Disaster:  Interactive  Exercises,  Part  1 
4:15  PM -5:30  PM 

Scenario  Planning  For  Disaster:  Interactive  Exercises,  Part  2 

Tuesday,  November  7,  2006 

8:30  AM  -  9:30  AM 

KEYNOTE:  Changing  Your  Business  Model:  The  Message  of  “The 
Long  Tail” 

9:30  AM-  10:15  AM 

When  CIO  Also  Means  Chief  Innovation  Officer 
11:25  AM  -  12:05  PM 

A.  Demographics:  Building  Digital  Cities,  Digital  Citizens 

B.  Technology:  The  Next  Generation  Internet  and  its  Impact 
around  the  World 

12:10  PM-  12:50  PM 

A.  Demographics:  Going  Green:  The  Role  of  IT 

B.  Technology:  An  Insider’s  Look  at  Emerging  Technologies 

2:20  PM  -  3:05  PM 

FORUM:  Preparing  For  Tomorrow’s  Enterprise  Architecture 
3:05  PM  -  3:50  PM 

KEYNOTE:  Privacy:  The  Road  Ahead 


To  learn  more,  visit  www.cio.com/cio07_2006 

Register  before  October  6  to  save  $300  off  the  regular  rate!  No  special  code 
required.  CIO  event  alumni  may  register  with  the  alumni  rate*  to  save 
$400.  Use  promotion  code  ALUMNI. 


►  Conference  Speakers 

Keynote  Speakers: 

Monday 

Dr.  Zbigniew  Brzezinski,  Counselor,  Center  for  Strategic 
and  International  Studies ,  former  National  Security  Advisor, 
Carter  Administration 
Tuesday 

Chris  Anderson,  Editor-in-Chief,  Wired  magazine 

Conference  Moderator: 

Jonathan  Zittrain,  Professor  of  Internet  Governance  and 
Regulation,  Oxford  University 

Speakers: 

David  Aronoff,  General  Partner,  IDG  Ventures 
Jerry  Bartlett,  CIO,  TD  Ameritrade 
Gary  Beach,  Publisher,  CIO  magazine 
Asheem  Chandna,  Partner,  Greylock  Partners 
Joseph  Franz,  Director,  Information  Technology,  Sales 
and  CRM,  Constellation  Energy 

Kevin  Gallagher,  Ph.  D.,  Assistant  Professor,  College  of 
Business,  Florida  State  University 

Lev  Gonick,  Vice  President  for  Information  Technology 
Services  and  CIO,  Case  Western  Reserve  University 
Radford  Jones,  Academic  Specialist,  School  of  Criminal 
Justice,  Michigan  State  University 
Vince  Kellen,  Vice  President,  Information  Services, 
DePaul  University 

Abbie  Lundberg,  Editor  in  Chief,  CIO  magazine 
Carrie  Mathews,  Program  Manager,  CIO  Executive  Council 
Steve  Novak,  CIO,  Kirkland  and  Ellis  LLP 
Richard  Thomas,  Vice  President  &  CTO,  Quintiles 
Transnational  Corp. 

Brit  Weber,  Specialist,  School  of  Criminal  Justice, 
Michigan  State  University 

Wild  Horse  Pass  Resort  &  Spa 

I  The  resort  is  located  in  the 
Sonoran  Desert  on  an  expanse  of 
rugged  Arizona  landscape  where 
the  ancient  vistas,  mountains  and 
roaming  wild  horses  remain 
untouched.  A  unique  blend  of  two 
cultures,  the  resort  offers  the 
quiet  serenity  created  by  Native 
American  tribes  who  found 
haven’t  here. 


♦Based  on  verification  only. 


THE  CIO  EXCCUTI VJE  C  OQ  N  Cl  L 


SOA  TRANSFORMATION 


IDEAS  &  INSIGHTS  FROM  THE  CIO  EXECUTIVE  COUNCIL  ::  EDITED  BY  DAVID  ROSENBAUM 


New  Roles,  New  Processes  for  SOA 


Around  the  CIO  water  cooler,  service-oriented  architecture, 
or  SOA,  still  has  all  the  buzz.  The  idea  of  creating  reusable 
service  components  and  deploying  them  in  applications 
across  the  enterprise  is  irresistible.  But  CIOs  are  also  begin¬ 
ning  to  realize  that  SOA  is  not  just  a  project  with  a  start  and 
an  end  date.  “The  goal  of  an  SOA  project  is  not  to  get  the  first 
implementation  done  and  then  go  back  to  business  as  usual,” 
says  Richard  Thomas,  senior  VP  and  CTO 
at  Quintiles  Transnational,  a  pharmaceu¬ 
tical,  health-care  and  biotech  research 
company.  “This  is  a  whole  new  way  of 
doing  business.”  (For  more  answers  to 
your  SOA  questions,  see  “The  Truth  About 
SOA,”  www.  cio.  com/061506.) 

Members  of  the  CIO  Executive  Council 
met  recently  in  Chicago  to  discuss  how  to 
prepare  for  this  new  way  of  doing  busi¬ 
ness.  They  shared  their  experiences  in  the  areas  of  planning, 
cultural  change,  organizational  structure  and  metrics. 

Start  With  a  Business  (Process)  Plan 

The  National  Association  of  State  Chief  Information  Officers 
(NASCIO)  published  a  May  2006  research  brief  outlining 
ways  that  states  can  take  advantage  of  SOA.  (Go  to  the  online 
version  of  this  story  at  www.  cio.  com/100106  to  download  the 
brief.)  A  key  NASCIO  recommendation  is  not  to  rush  into 


building  an  SOA  without  a  transition  plan  and  a  defined 
business  case.  Drew  Mashburn,  chief  enterprise  architect  for 
the  state  of  Arkansas,  contributed  to  the  NASCIO  research 
brief  and  currently  is  setting  a  strategic  direction  for  SOA  in 
his  state.  Right  now,  there  are  approximately  130  state  agen¬ 
cies,  boards  and  commissions  in  Arkansas,  many  with  their 
own  custom-built  or  purchased  applications.  “Moving  to 
SOA  will  definitely  be  a  huge  cultural  shift,”  says  Mashburn. 
“It’s  critical  to  have  strong  support  from  agency  leadership, 
the  governor  and  the  state  legislature.” 

To  gain  that  support,  Arkansas  Executive  CIO  Doug  Elkins 
and  his  workgroup  are  in  the  early  phases  of  establishing  a 
strategic  plan  that  will  identify  common  business  processes 
across  agencies,  identify  potential  areas  for  interoperability 
and  application  reuse,  and  specify  cost  savings  and  other 
efficiencies.  The  plan  will  articulate  the  two  most  impor¬ 
tant  benefits  that  SOA  is  expected  to  bring:  cost  savings  and 
increased  collaboration  between  agencies. 

Calculate  the  Cultural  Change 

Approaching  SOA  as  a  change  management  challenge  will 
help  CIOs  prepare  for  the  cultural  issues  that  invariably  will 
arise  in  such  fundamental  areas  as  application  and  resource 
ownership.  Neal  Shaw,  chief  architect  at  H&R  Block,  admits 
that  he  “underestimated  the  amount  of  cultural  change  that 
would  be  required.”  For  instance,  Continued  on  Page  88 


</) 

0 

Z 

Q 

Z 


An  IT  Dashboard 
With  a  Difference 

When  he  looks  at  his  IT  dashboard,  Ken  Yerves,  CIO  and 
senior  VP  at  JM  Family  Enterprises  (Southeast  Toyota  is 
a  unit  of  JM),  no  longer  sees  a  category  for  “application 
availability."  Instead,  the  dashboard  displays  the  num¬ 
ber  of  minutes  that  a  service  is  meeting  an  agreed-upon 
level.  When  any  process  falls  below  that  level,  the  dial 
goes  to  red  and  begins  showing  how  long  the  service 
is  out  of  whack.  Once  the  issue  is  resolved,  it  returns  to 
green  and  the  timer  resets.  For  more  on  SOA  metrics, 
see  “SOA’s  New  Math,"  Page  88. 


f 

All  Systems  are  Available 

•  ##  MAMFRAMC  ###  OASIS  9##  MTMMVT 

OurONlUVfl  'fMOMB 


<3B>  TOYOTA 

Southeast  Toyota  Distributors,  LLC 


Sales  -  Market,  ng 


logistic* 


86  OCTOBER  1,  2006  |  www.cio.com 


owpipeM  the 

@ur  cornerlof  the  globe.  Without  interruption. 

The  Koehler  Group  in  Oberkirch,  Germany  is  one  of  the  world's  largest  makers  of  specialty 
paper,  used  to  make  everything  from  airline  tickets  to  Pokemon  cards.  Managing  their 
output  takes  continuous  24/7  production-and  HP  Integrity  servers  with  Intel®  Itanium’  2 
processors."We  produce  and  ship  over  1,500  tons  of  paper  each  day.  A  moment  of 
downtime  means  production  must  stop,”  says  Bruno  0.  Schwelling,  CFO.  "Itanium-based 
HP  Integrity  systems  have  virtually  eliminated  that  fear."  itanium-integrity.com 

ITANIUM  +  INTEGRITY.  ON  AND  ON  AND  ON.  ' 


HE  CIO  EXECUTIV  E  C  PUNCH. 


forum 


SOA  TRANSFORMATION 


[  METRIC  SYSTEMS] 


ska 

'•->4 

§§ 


SOA  Roles,  Processes 

Continued  from  Page  86 


SOA's  New  Math 


TOM  HOLMES 


When  CIOs  first  move  to  an  SOA  environment,  they 
need  to  look  beyond  traditional  metrics  to  quantify 
the  value  of  their  investment. 

When  Ken  Yerves  looks  at  his  IT  dashboard  today, 
he  no  longer  sees  the  traditional  metric  for  applica¬ 
tion  availability.  “The  whole  concept  of  an  application 
goes  away  with  SOA,”  says  Yerves,  CIO  and  senior  VP 
at  JM  Family  Enterprises.  Now  he  looks  at  business 
process  and  service  availability. 

Adds  Tom  Holmes,  JM  Family’s  VP  of  technology 
operations,  “Every  business  process  is  shown  [on  the 

dashboard],  and  we  can  see 
how  long  the  process  is  tak¬ 
ing  to  complete." 

The  dashboard  displays 
the  number  of  minutes  that 
a  service  has  been  meeting 
an  agreed-upon  service 
level.  When  any  process 
falls  below  the  target,  the 
dial  goes  red  and  the  num¬ 
ber  resets  to  zero  and  then  keeps  track  of  how  long 
the  service  is  affected.  Once  the  issue  is  resolved,  the 
dial  turns  to  green  and  the  timer  resets  to  zero. 

At  H&R  Block,  when  developers  are  asked  to  build 
a  system  that  can  take  advantage  of  services,  Neal 
Shaw,  chief  architect,  estimates  what  it  would  have 
cost  to  build  the  system  the  old  way  and  shares  that 
information  with  CIO  Marc  West.  West  uses  the  com¬ 
parison  to  communicate  SOA’s  cost-saving  success 
to  the  rest  of  the  enterprise.  Conversely,  Shaw  some¬ 
times  has  to  advocate  for  spending  more.  “We  might 
be  spending  20  percent  more  now  to  build  a  system, 
but  I  can  show  payback  year  after  year  [derived]  from 
the  reusable  components,"  Shaw  asserts. 

When  Patrick  Moroney,  former  senior  VP  and  CIO 
at  $27  billion  health  insurer  Health  Care  Service, 
planned  to  introduce  SOA  there,  he  projected  setting 
up  measures  for  service  usage  trends,  response  per¬ 
formance  and  value.  One  type  of  value  he  quantified 
was  complexity  reduction.  For  example,  the  company 
had  four  subscriber  eligibility  engines,  but  SOA 
would  reduce  that  to  a  single  service,  allowing  three 
of  the  four  systems  to  be  phased  out.  -CM. 


i  §1 


1 


one  of  Shaw’s  application  teams  built  a  service  for  a  specific  applica¬ 
tion.  Other  development  teams  decided  to  use  the  new  service  for  their 
own  projects  but  failed  to  inform  the  original  builders.  Consequently, 
when  an  update  was  made  to  the  new  service,  the  other  applications 
that  had  incorporated  it  broke.  Developers  must  now  think  about  who 
“owns”  which  service  and  what  updates  might  be  forthcoming. 

To  create  this  shift  in  mind-set,  Rick  Sweeney,  chief  architect  at 
health  insurer  Blue  Cross  Blue  Shield  of  Massachusetts,  encourages 
his  staff  to  think  differently  about  business  user  requests.  For  exam¬ 
ple,  when  a  user  asks  for  enrollment  data,  his  staff  doesn’t  treat  it  as 
an  information  request  and  then  think  about  how  to  craft  an  appli¬ 
cation  to  fulfill  it;  they  consider  it  an  “enrollment  service”  request, 
which  prompts  discussion  about  potentially  reusable  components. 
This  change  may  seem  purely  semantic,  but  the  new  kind  of  thinking 
it  generates  is  very  important  to  SOA  success. 

Create  IT-Business  Relationship  Roles 

Organizing  for  SOA  can  also  lead  to  changes  in  the  structure  of  the 
IT  staff.  Thomas  at  Quintiles  Transnational  created  a  new  position 
called  business  relationship  manager.  “I  want  these  people  to  look  at 
the  entire  business  line  and  make  sure  that  it’s  consistent  with  what  IT 
is  doing  with  SOA.  They  are  our  single  point  of  contact,”  says  Thomas. 
When  Quintiles  works  on  an  implementation  with  a  process  or  ser¬ 
vice  component  that  could  have  high  value  within  or  across  busi¬ 
ness  lines,  the  business  relationship  manager  takes  ownership  of  that 
implementation. 

CIO  and  Senior  VP  Ken  Yerves  of  JM  Family  Enterprises,  an  auto¬ 
motive  holding  company,  agrees  that  staff  realignment  may  be  needed 
to  adopt  SOA  successfully.  He  created  a  new  position,  client  advocate, 
at  the  same  time  that  his  company  was  moving  to  SOA.  About  20  client 
advocates  staff  four  project  management  offices  and  are  subject-matter 
experts  for  those  specific  business  processes.  With  this  expertise,  they 
can  identify  potential  process  changes  to  improve  the  business  environ¬ 
ment,  and  are  responsible  for  analyzing  business  and  user  technol¬ 
ogy  needs,  including  how  best  to  apply  reusable  service  components. 
“The  business  tells  me  that  these  client  advocates  actually  know  how 
the  business  works  better  than  they  do,”  says  Yerves. 

The  training  needed  for  these  new  IT-business  expert  roles  should 
not  be  underestimated,  particularly  in  nontechnical  areas  like  general 
business  strategy,  business  processes  and  service  delivery.  “I  have 
actually  doubled  my  training  expenses  year-on-year  since  we  started 
our  SOA  implementation  three  years  ago,”  Yerves  says.  “And  it  hasn’t 
been  for  pure  technical  training.”  BEI 


Carrie  Mathews  is  a  program  manager  with  the  CIO  Executive  Council.  Send 
comments  about  this  article  to  letters@cio.com. 


The  CIO  Executive  Council  is  a  professional  organization  for  CIOs  founded  by  CIO's  publisher.  To  learn  more  about  the  council, 
visit  www.cioexecutivecouncil.com  or  contact  VP  of  Development  Dexter  Siglin  at  dsiglin@cio.com  or  508  935-4493. 


88  OCTOBER  1,  2006  |  www.cio.com 


Your  company  faces  a  lot  of  technology  challenges 

(That's  why  we've  got  a  lot  of  technology  specialists.) 


No  matter  what  technology  challenge  your  business  faces,  CDW  can  get  your  people  the  information  they  need. 
We  have  a  team  of  technology  specialists  ready  to  help.  They'll  solve  problems  and  create  solutions.  So  the  next 
time  you  need  technology  answers,  turn  to  the  specialists  at  CDW. 


For  Every  Area,  A  Specialist 


The  Right  Technology.  Right  Away. 


CDW.com  •  800.399.4CDW 


©2006  CDW  Corporation 


Certified,  Trained  and  Trained  Some  More 

It  starts  with  weeks  of  product  and  industry  training,  and  continues  with 
ongoing  education.  Our  specialists  earn  industry-standard  certifications  as 
well  as  extensive  training  direct  from  the  industry's  leading  manufacturers. 


When  you're  faced  with  a  technology  challenge,  help  is  just  a  phone 
call  away.  We  give  you  access  to  specialists  with  expertise  in  areas  such 
as  Security,  Storage,  Networking,  Document  Imaging,  Mobile/Wireless, 
Telephony,  Voice  and  Data,  and  Software  Licensing. 


The  Best  Advice,  Backed  by  the  Best  Technology 

Our  technology  specialists  consult  with  you  on  the  best  choice  of  technology 
brands  and  products  for  your  needs.  And  because  we  carry  just  about  all 
leading  technology  brands,  you  get  the  best  the  industry  has  to  offer. 


SALES  AND  SERVICES 


CIO  SALES  OFFICES 

President  and  CEO 

Michael  Friedenberg 
508  935-4310 

Publisher 
Gary  J.  Beach 
508  935-4202 

VP,  National  Associate 
Publisher 

Bob  Melk- 415  975-2685 

Sales  Operations  Manager 

Dawn  Cora 
508  935-4092 
Fax  •  508  879-6063 

EAST  COAST 

VP  Sales,  East 

Brian  Glynn 
508935-4586 

Regional  Sales  Manager 

Ellie  St.  Louis 
201634-2332 
Senior  Sales  Associate 

Norma  Tamburrino 
201634-2329 
Fax  •  201 634-9513 

NORTH  CENTRAL/ 
SOUTHWEST/SOUTHEAST 

Regional  Sales  Manager 

Beth  DeVillez 
847  759-2727 

Advertising  Sales  Associate 

Kim  Giovanni 
847  759-2728 
Fax  •  847  759-2729 


WEST COAST 

Senior  Regional  Sales  Manager 

Ai  Collins -415  975-2686 
Regional  Sales  Manager 
Kevin  Ebmeyer  •  415  975-2684 
Account  Executive 

Derek  Jung  •  415  975-2683 
Fax  •  415  543-2358 

SOUTHERN  CALIFORNIA 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 

ONLINE  SERVICES 

VP,  Online  Sales 

Jim  Alla  •  508  988-6763 

Online  Regional  Sales 
Manager 

Tina  Dudarevitch 
718  279-2396 

Online  Regional  Sales  Manager 
Lori  Kehoe-  415  978-3329 
Online  District  Sales  Manager 
Sara  Mascall  •  415  978-3385 
Manager,  Online  Account 
Services 

Danielle  Tetreault 
508  988-7969 

Online  Account  Services 
Specialist 

Valerie  Sumner 
508  988-7877 

Online  Ad  Sales  Associate 

Devon  Slattery  •  415  975-2687 

Online  Advertising  Specialist 

Irina  Gabechiia 
508  935-4414 


CUSTOM 

PUBLISHING 

VP,  Integrated  Media 
Matt  Avery 
508935-4796 
Director  of  Sales 
Mary  Gregory 
508  988-6765 
Executive  Editor  and 
Director  of  Operations 
Tom  Field 

Director,  Integrated 
Project  Management 

Mo  Barrett 

Managing  Editor 

Jim  Malone 

Senior  Project  Manager 

Amy  Greenleaf 

Project  Manager 

Karen  Capland 

LIST  SERVICES 

Contact  Paul  Capone  of  IDG  List 
Services  at  508  370-0865  or 
pcapone@idglist.com. 

REPRINT  SERVICES 

For  article  reprints  (100  quan¬ 
tity  or  more),  please  contact 
Jennifer  Eclipse  at  PARS 
International  at  212  221-9595 
x237  or  via  e-mail  at  jeclipse@ 
parsintl.com. 


CIO  is  published  in  the 
U.S.  as  well  as  in: 

Australia,  CIO  Australia 

www.idg.com.au 

Canada,  CIO  Canada 

c/o.  itworldcanada.com 

China,  CEO  &  CIO  China 

www.ceocio.com.cn 

France,  CIO  France 

www.idg.fr/cio 

Germany,  CIO  Germany 

www.cio.de 

India,  CIO  India 

91-80-521-0309/12 

Japan,  CIO  Japan 

www.idg.co.jp 

The  Netherlands, 

CIO  Netherlands 
www.cio.ni 

New  Zealand,  CIO  New  Zealand 
www.idg.co.nz 

Norway,  CIO  Business  Standard 
www.business-standard.no 
Poland,  CXO  Poland 
www.cxo.pl 

Singapore,  CIO  ACEN/ 
Hong-Kong  www.idg.com.sg 
South  Korea,  CIO  Korea 
www.cio.seoul.kr 
Sweden,  CIO  Sweden 
www.cio.idg.se 

For  further  sales  information: 

www2.cio.com/marketing/ 

aboutcio/contacts.cfm 


INDEX  OF  COMPANIES  AND  ADVERTISERS 


Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which  the  company  has  a  substantial  mention.  This  index  is 
provided  as  a  service  to  readers.  The  publisher  does  not  assume  any  liability  for  errors  or  omissions. 


COMPANY  INDEX 

Accenture . . . 25 

American  Power  Conversion  Corp . 25 

Apple  Computer  Inc . 25 

Axcelis  Technologies  Inc . 40 

Bearingpoint  Inc . 52 

Bechtel  Corp . 76 

Blue  Cross  and  Blue 

Shield  of  Kansas  City . 70 

Bristol  West  Holdings  Inc . 40 

Capital  One  Financial  Corp . 8 

Command  Information  Inc . 76 

Dell  Inc . 25 

Diamond  Management  and  Technology 

Consultants  Inc . 52 

Dow  Chemical  Co.,  The  . 52 

Exxon  Mobile  Corp . 52 

ForeSee  Results . 25 

Gartner  Inc . 52 

Gateway  Inc . 25 

General  Electric  Co . 40 

Google  Inc . 25 

H&R  Block . 86 

Health  Care  Service  Corp . 86 

Henry  Schein  Inc . 52 

Hewlett-Packard 

Development  Co.,  L.P. . 25 

IBM  Corp . 25 


Informatica  Corp. . . 40 

Infosys  Technologies  Ltd . 25 

Intel  Corp . 35 

JM  Family  Enterprises  Inc . 86 

Johns  Manville . 40 

Perot  Systems . 52 

Phillips  Electronics . 35 

Purdue  Pharma  L.P. . 40 

Quintiles  Transnational  Corp . 86 

Sprint  Nextel . 25 

Sun  Microsystems  Inc . 25 

Tata  Consultancy  Services  Ltd . 25 

TriZetto  Group  Inc.,  The . 70 

ThinkStrategies  Inc . 52 

Vanguard  Group  Inc.,  The . 52 

Ventoro  Lie . 52 

W  Group,  The  . 52 

Warner  Music  Inc . 8 

Xerox  Corp . 35 

ADVERTISER  INDEX 

3PAR . 7 

Akibia  Inc . 11 

AT&T . C2 

BearingPoint  Inc . 20 

Brother  International . 73 

BT . 59 

CA . 81,  83 


CDWCorp . 89 

Citrix  Systems  Inc . 31 

Cognos  Inc . 45 

CXO  Media  Inc . 49,84,91 

Dell  Inc . 9 

EMC2  Corp . 19 

ESRI . 43 

Fujitsu  Computer  Systems  Corp . 75 

Hewlett-Packard  Co . 14, 27 

Hewlett-Packard  Co.  (regional) . 47, 79 

Hyperion  Solutions  Corp . 61 

IBM  Corp . 37,39,  54,65,66,68 

Informatica  Corp . 17 

Intel  Corp . 2,87 

Kyocera  Mita  Corp . 51 

Mercury . 29 

NEC  Corp . 33 

Next-Generation  IT  Architecture . 48a 

Orange  Business  Services . 41 

Perot  Systems . 34 

PricewaterhouseCoopers . 57 

Primavera  Systems,  Inc . 71 

RightNow  Technologies  Inc . 24 

SunGard  Availability  Services . 23 

Sybase  Inc . 4 

Symantec  Corp . C4, 63 

Tata  Consultancy  Services  Ltd . 13 

Verizon  Wireless . C3 


CIO  CONTACT 
INFORMATION 

Editorial,  Advertising  and 
Business  Offices:  CXO  Media 
Inc.,  492  Old  Connecticut  Path, 
P.O.  Box  9208,  Framingham,  MA 
!  01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  pub¬ 
lished  semimonthly  and  as  a 
combined  issue  Dec.  15/Jan.  1  by 
CXO  Media  Inc.  Periodicals  post¬ 
age  paid  at  Framingham,  MA,  and 
at  additional  mailing  offices.  Can¬ 
ada  Publications  Mail  Agreement 
Number  1902075.  CANADIAN 
POSTMASTER:  Please  return 
undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A7C9. 

Permissions:  Copyright  2006 
by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of 
material  appearing  in  CIO 
j  is  forbidden  without  written 
permission.  Send  all  requests 
to  Yadira  Pizarro,  PARS  Interna¬ 
tional,  212  221-9595,  Ext.  231, 
oryadira@parsintl.com. 

Photocopy  Rights:  Permission 
to  photocopy  for  internal  or 
personal  use  or  the  internal  or 
personal  use  of  specific  clients  is 
granted  by  CIO  for  users  through 
the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3 
per  copy  of  the  article,  plus  $.50 
per  page  is  paid  directly  to  Copy- 
i  right  Clearance  Center,  27  Con¬ 
gress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does 
not  extend  to  contributed  articles 
followed  by  this  symbol:  4- 

Subscriptions:  CIO  is  free  to 
qualified  information  executives. 
To  apply,  use  our  online  subscrip¬ 
tion  form  at  www. subscribe. 
c/o. com.  Subscriptions  are  also 
available  on  a  paid  basis  at  a 
rate  of  $95  for  the  United  States 
and  Canada,  $195  International 
(payable  in  U.S.  funds  only)  and 
may  be  ordered  online  at  www. 
subscribe.cio.com/services. 

i 

html.  Or  address  inquiries  to 
CIO,  P.O.  Box  489,  Northbrook, 

I L  60065-0489;  866  354-1125. 
Please  allow  four  to  six  weeks  for 
a  new  subscription  to  begin.  The 
single  copy  price  is  $9  for  the 
United  States  and  Canada,  and 
$15  International.  Prepayment  is 
required,  payable  in  U.S.  funds. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio 
and  follow  the  online  instructions. 

Postmaster:  Send  change  of 
address  to  CIO,  P.O.  Box  489, 
Northbrook,  IL  60065-9816. 
Printed  intheU.S.A. 


90  OCTOBER  1,  2006  |  www.cio.com 


call  for  entries 


SB 


We’re  looking  for  the 
next  generation  of 
standout  IT  lea 


Nominees  should 
currently  be  top  IT 
lieutenants— but  not 
yet  full-fledged  CIOs 

Visit  www.cio.com/awards/watch 

today  to  apply. 


Presented  by  CIO  magazine  and  the  CIO  Executive  Council. 


CIO 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


Business 

Technology 

Leadership 


Apply 


Candidates  will  be 
nominated  by  their  CIO  based 
upon  the  characteristics 
identified  in  the  application  at 
www.cio.com/eiwards/watch. 
Candidates  may  also  nominate 
themselves  or  be  nominated 
by  another,  but  all  nominations 
must  be  endorsed  by  a  CIO. 

A  pane!  of  leading  CIOs  will 
judge  the  nominees  and 
choose  the  winners,  who  will 
be  featured  in  a  special 
May  2007  issue  of  CIO. 


Winners  will  also  be 
honored  at  the  third  annual 
CIO  Leadership  Conference 

to  take  place  April  29-May  1  at 
the  Hyatt  Huntington  Beach  in 
Huntington  Beach,  California. 


irfl 


We  will  accept 
nominations  from  Sept.l 
through  Nov.  15.  For  more  about 
this  prestigious  award,  go  to 

www.cio.com/awards. 


DEPARTMENT  OF  SELF-INTEREST 


Numbers  Grilled  to  Order 

Companies  are  forever  citing  “independent”  research  that  always  seems  to 
justify  their  business  strategies.  Let’s  take  a  closer  look. 


These  benefits  include  reduction  in  hard¬ 
ware  and  software  costs  by  40  percent.” 

The  Source: 

IDC,  a  sister  company  to  CIO's  publisher. 

The  Coincidence: 

Wyse  is  an  IDC  client  and,  as  a  matter  of 
fact,  sponsored  the  IDC  study. 


The  Company: 

Dell— king  of  build-as-we-sell  PCs. 

The  Research: 

“Overall,  we  found  that  the  average 
increase  in  employee  productivity 
(number  of  hours  worked)  realized 
through  the  use  of  a  notebook  PC  is 
7.7  additional  hours  per  week  over  the 
productivity  associated  with  using  a 
desktop  PC." 

The  Source: 

“UTech  Consulting  [was]  commissioned 
by  Dell  Inc.  to  perform  this  study." 

The  Coincidence: 

Dell’s  Dimension  E510  Desktop  PC  retails 
for  $649;  Dell's  XPS  notebooks  go  from 
$1,200  to  $3,500. 


I 


I 

! 


I 


The  Company: 

Wal-Mart— the  Arkansas-based  retail 
behemoth  (and  RFID  cheerleader) 
famously  founded  by  Sam  Walton. 

The  Research: 

“Wal-Mart  customers  found  items  they 
wanted  in  stock  more  often  due  to  the 
retailer’s  use  of  electronic  product  codes 
(EPCs)  powered  by  RFID  technology.... 
This  study  provides  conclusive  evidence 
that  EPCs  increase  how  often  we  put 
products  in  the  hands  of  customers  who 
want  to  buy  them,  making  it  a  win  for 
shoppers,  suppliers  and  retailers.” 

The  Source: 

"While  Wal-Mart  commissioned  the  study, 


it  was  conducted  independently  by  the 
University  of  Arkansas." 

The  Coincidence: 

That's  the  University  of  Arkansas'  RFID 
Research  Center  at  the  Sam  M.  Walton 
College  of  Business. 


The  Company: 

Wyse  Technology— thin-client  computing. 

The  Research: 

A  report,  “Thin  Computing  ROI:  The 
Untold  Story,"  found  that  “Wyse  thin- 
client  users. ..experienced  significant 
business  benefits  from  the  migration  of 
a  portion  of  their  PC  users  to  thin  clients. 


The  Company: 

Microsoft— bastion  and  defender  of  the 
proprietary  software  model. 

The  Research: 

"The  study  found  that  [the  non-Linux- 
running  Microsoft]  SQL  Server  2000 
had  zero  vulnerabilities  in  the  one-year 
time  period,  [the  Linux-running]  MySQL 
had  seven  vulnerabilities,  and  [the  Linux- 
running]  Oracle  lOg  had  30  vulnerabilities.” 
The  Source: 

Security  Innovation 
The  Coincidence: 

The  Security  Innovation  study  was 
“funded  under  a  research  contract  from 
Microsoft.” 


92  OCTOBER  1,  2006  |  www.cio.com 


ILLUSTRATION  BY  CHRIS  PYLE 


VOtl  Onwireless 


Upgrade  your  wireless  connectivity. 
Downsize  complaints. 


"Highest  in  Customer  Satisfaction 
With  Business  Wireless  Service" 


Upgrade  your  employees  to  the  Broad  band  Access  card  from 
Verizon  Wireless  and  give  them  the  freedom  to  work  wirelessly 
without  the  hassles  of  hotspots.  With  our  high-speed  wireless 
broadband  network  and  CDMA  technology,  they'll  have  reliable, 
secure  connections  you  just  can't  count  on  from  Wi-Fi.  So  why 
not  upgrade  today. 


verizonwireless.com/bba  or  call  our  business  reps  at  1 .800.VZW.4  BIZ 

(899.4249) 


Our  surcharges  (iiicl.  2.31".„  Federal  Universal  Service  (varies  quarterly),  5{  Reyulatnry  &  40c  Administrative/line/ma..  &  others  by  area)  are  not  taxes  (details:  1-888-684-1888);  gov  t  taxes  and  our  surcharges  could  add  4%-33%  to 
your  bill.  Activation  tee  line  $35  ($25  for  $69.99  BroadliandAccess  plan) 

IMPORTANT  CONSUMER  INFORMATION.  Stftpttl  to  Cnstomai  Agnit,  fioiliirt)  Plan  8  eiedlt  approval, *175  earl?  lermrnalium  fee.  Requires  compatible  PC  card  (purchased  separately),  Speed  claim  based  on  our  network  tests  with  5  MB 
DP  dal  i  liles  without  r ompiessioil  Actual  illiimiolipiil  pied  vain  ,  II  uioie  linn  h  lil/hiieoiumlh  re  pu'Mimt  ii  i  is  tin  non  pi i nutted  ii  e  mil  will  Itiininalt  mviu  u  hiochure  tor  details.  BroadbandAccess  is  available  in  181 
r.1,1  njinlii  m,  lu'i  in  Hu  nf  S,  orm©  vim!  Lover  age  no)  nvnill  ilsle  eveivBliieie  NetWork  del  nle,  8  i  over,  ige  ipaps  at  veii/onvniidess  com.  ©  2006  Veo/on  Wireless.  Verizon  Wireless  received  the  highest  numerical  score  among 

i  ",  Ashh  cites  ©Ob  Bum . .  Win  h  '  (  n  tmiii  i  sm  ,1  n  lion  Mud  Study  based  responses:  trout  2  73/  total  responses,  measuring  5  providers  and  measures  opinions  of  wireless 

M  UK,  del  emu  inafti  .  al  liiiwm  ■  i  nl  ill  e  I’mpnt  t  in  tudv  n  nil  air  li.et  tl  mi  e  pi  in  in  es  mil  pi . time  nl  Ini  mi"  mu  In-  u  ee  Miivtved  in  Jiuuaiv  and  FebiUtiiy  2006.  Your  experiences  may  vary.  Visit  idpower.com. 


Master  complexity. 

Whatever  is  in  your  data  center,  Symantec  puts  you  in  control.  That’s  the  promise  behind  the  Symantec 
Data  Center  Foundation.  Thanks  to  the  Veritas  cross-platform  heritage,  this  integrated  software  infrastructure 
solution  supports  virtually  every  major  operating  system,  database,  application  and  storage  hardware  asset 
in  the  data  center. 


Symantec  Data  Center  Foundation  - 

Veritas  NetBackup 

Veritas  Storage  Foundation 

Veritas  Server  Foundation 

Veritas  P 

Scalable  backup  and 

Storage  virtualization  and  storage  network 

Visibility,  control  and  availability  of 

End  to  end  performance 

recovery  for  the  enterprise 

management  for  the  entire  data  center 

server  and  application  environments 

management  for  key  applications 

www.symantec.com/datacenter 

©  2006  Symantec  Corporation.  All  rights  reserved.  Symantec  and  the 
Symantec  Logo  are  registered  trademarks  of  Symantec  Corporation. 


